Changes before error encountered

Co-authored-by: spantaleev <388669+spantaleev@users.noreply.github.com>
Make exim-relay benefits section more concise
2026-04-02 21:04:50 +03:00 · 2026-02-26 02:42:07 +00:00 · 2026-02-26 02:41:56 +00:00 · 2026-02-25 20:33:41 +00:00 · 2026-02-25 20:31:28 +00:00
124 changed files with 791 additions and 2721 deletions
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,2 +1,2 @@
 [codespell]
-ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr,shema,commet,Commet
+ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr,shema
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -9,37 +9,34 @@ name: Matrix CI
 on: [push, pull_request]  # yamllint disable-line rule:truthy
 permissions:
  contents: read
 jobs:
-  prek:
+  yamllint:
-    name: Run prek hooks
+    name: yamllint
    runs-on: ubuntu-latest
    steps:
      - name: Check out
        uses: actions/checkout@v6
      - name: Run yamllint
        uses: frenck/action-yamllint@v1.5.0
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
    container:
      image: docker.io/archlinux:base-devel
    steps:
      # git must be installed before checkout so it does a proper clone
      # (with .git directory) instead of a tarball download.
      - name: Install git
        run: pacman -Sy --noconfirm git
      - name: Check out
        uses: actions/checkout@v6
-      - name: Restore prek cache
+      - name: Run ansible-lint
-        uses: actions/cache@v5
+        uses: ansible/ansible-lint@v26.1.1
        with:
-          path: var/prek
+          args: "roles/custom"
-          key: arch-prek-v1-${{ hashFiles('.pre-commit-config.yaml') }}
+          setup_python: "true"
-
+          working_directory: ""
-      - name: Install dependencies
+          requirements_file: requirements.yml
-        run: pacman -S --noconfirm --needed just mise python
+  precommit:
-
+    name: Run pre-commit
-      - name: Run prek hooks
+    runs-on: ubuntu-latest
-        run: |
+    steps:
-          # The checkout action sets safe.directory using its own bundled
+      - name: Checkout code
-          # git, which is separate from the pacman-installed git that prek uses.
+        uses: actions/checkout@v6
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Run pre-commit
-          just prek-run-on-all
+        uses: pre-commit/action@v3.0.1
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,6 @@
 .python-version
 .idea/
 .direnv/
 /var/
 # ignore roles pulled by ansible-galaxy
 /roles/galaxy/*
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,21 +1,22 @@
 ---
 default_install_hook_types: [pre-push]
-exclude: "^(LICENSES/|var/)"
+exclude: "LICENSES/"
 # See: https://pre-commit.com/hooks.html
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      # - id: check-executables-have-shebangs
      - id: check-added-large-files
      - id: check-case-conflict
      - id: check-json
      - id: check-shebang-scripts-are-executable
      - id: check-toml
      - id: trailing-whitespace
      - id: end-of-file-fixer
  - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.2
+    rev: v2.4.1
    hooks:
      - id: codespell
        args: ["--skip=*.po,*.pot,i18n/"]
@@ -23,18 +24,3 @@ repos:
    rev: v6.2.0
    hooks:
      - id: reuse
  - repo: https://github.com/ansible/ansible-lint
    rev: v26.4.0
    hooks:
      - id: ansible-lint
        files: '^roles/custom/'
        args: ['roles/custom']
        pass_filenames: false
  - repo: local
    hooks:
      - id: check-examples-vars-migration-version
        name: Check examples/vars.yml migration version matches expected
        entry: bin/check-examples-vars-migration-version.sh
        language: script
        files: '(examples/vars\.yml|roles/custom/matrix_playbook_migration/defaults/main\.yml)'
        pass_filenames: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,96 +1,3 @@
 # 2026-03-23
 ## Migration validation system introduced
 Previously, when updating your setup, you had to remember to read the [CHANGELOG](CHANGELOG.md) file or risk breakage.
 Now, the playbook includes a migration validation system that ensures you're aware of breaking changes before they affect your deployment.
 You're now forced to acknowledge each breaking change, unless you wish to live dangerously (see below).
 A new `matrix_playbook_migration_validated_version` variable has been introduced.
 **New users** who started from the [example `vars.yml`](examples/vars.yml) file already have this variable set and do not need to do anything.
 **Existing users** will need to add the following to their `vars.yml` file after reviewing all changelog entries up to now:
 ```yml
 matrix_playbook_migration_validated_version: v2026.03.23.0
 ```
 Going forward, whenever a breaking change is introduced the playbook will:
 - bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
 - fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
 After reviewing and adapting your setup, you simply update the variable to the new version.
 If you'd like to live dangerously and skip these checks (not recommended), you can set this once and be done with it:
 ```yml
 matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
 ```
 # 2026-03-19
 ## Matrix Authentication Service now prefers UNIX sockets for playbook-managed Postgres
 When [Matrix Authentication Service](docs/configuring-playbook-matrix-authentication-service.md) (MAS) uses the playbook-managed Postgres service, it now connects to it via a [UNIX socket](https://en.wikipedia.org/wiki/Unix_domain_socket) by default instead of TCP.
 This follows the same approach [applied to Synapse](#synapse-now-prefers-unix-sockets-for-playbook-managed-postgres-and-valkey) and reduces unnecessary container-network wiring, keeping local IPC off the network stack.
 If you use an external Postgres server for MAS, this does not change your setup.
 If you'd like to keep the previous TCP-based behavior, add the following configuration to your `vars.yml`:
 ```yaml
 matrix_authentication_service_config_database_socket_enabled: false
 ```
 # 2026-03-17
 ## Synapse now prefers UNIX sockets for playbook-managed Postgres and Valkey
 When Synapse uses the playbook-managed Postgres and Valkey services, it now connects to them via [UNIX sockets](https://en.wikipedia.org/wiki/Unix_domain_socket) by default instead of TCP.
 This reduces unnecessary container-network wiring and keeps local IPC off the network stack, which is a bit simpler and slightly more secure.
 If you use an external Postgres server or external Redis/Valkey for Synapse, this does not change your setup.
 If you'd like to keep the previous TCP-based behavior, add the following configuration to your `vars.yml`:
 ```yaml
 matrix_synapse_database_socket_enabled: false
 matrix_synapse_redis_path_enabled: false
 ```
 # 2026-03-01
 ## (Potential BC Break) Synapse S3 media prefix is now applied consistently
 The `matrix_synapse_ext_synapse_s3_storage_provider_config_prefix` variable is now wired consistently for both:
 - the Synapse `s3_storage_provider` module configuration
 - the `matrix-synapse-s3-storage-provider-migrate` migration script (`s3_media_upload --prefix`)
 Previously, this variable could be set, but was not effectively applied by either of these paths.
 **Affects**: users of [synapse-s3-storage-provider](docs/configuring-playbook-synapse-s3-storage-provider.md) who have configured a non-empty `matrix_synapse_ext_synapse_s3_storage_provider_config_prefix` value.
 If your bucket data was uploaded without the prefix before this fix, enabling proper prefix usage can make existing objects appear missing until data is migrated/copied to the prefixed key namespace.
 # 2026-02-26
 ## Internal refactor: merged the Synapse reverse-proxy companion role into `matrix-synapse`
 The standalone `matrix-synapse-reverse-proxy-companion` role has been merged into the [matrix-synapse](roles/custom/matrix-synapse/) role.
 This is not a user-facing change and does not change variable names (`matrix_synapse_reverse_proxy_companion_*` remain the same). The split looked clean on paper, but in practice both parts are tightly coupled through worker routing, tags (`setup-synapse`/`install-synapse`), and lifecycle ordering, so keeping them separate added coordination overhead with little practical benefit.
 Compatibility note: existing companion-specific tags (`setup-synapse-reverse-proxy-companion` and `install-synapse-reverse-proxy-companion`) are still available.
 With this change, Synapse and its reverse-proxy companion are managed in one role (`matrix-synapse`) while still keeping companion logic in dedicated task/template subdirectories for maintainability.
 # 2026-02-21
 ## (BC Break) coturn is no longer auto-enabled by default
--- a/README.md
+++ b/README.md
@@ -64,7 +64,6 @@ Web clients for Matrix that you can host on your own domains.
 | [Element Web](https://github.com/element-hq/element-web) | ✅ | Default Matrix web client, configured to connect to your own Synapse server | [Link](docs/configuring-playbook-client-element-web.md) |
 | [Hydrogen](https://github.com/element-hq/hydrogen-web) | ❌ | Lightweight Matrix client with legacy and mobile browser support | [Link](docs/configuring-playbook-client-hydrogen.md) |
 | [Cinny](https://github.com/ajbura/cinny) |  ❌ | Simple, elegant and secure web client | [Link](docs/configuring-playbook-client-cinny.md) |
 | [Sable](https://github.com/7w1/sable) | ❌ | Simple, elegant and secure web client | [Link](docs/configuring-playbook-client-sable.md) |
 | [SchildiChat Web](https://schildi.chat/) | ❌ | Based on Element Web, with a more traditional instant messaging experience | [Link](docs/configuring-playbook-client-schildichat-web.md) |
 | [FluffyChat Web](https://fluffychat.im/) | ❌ | The cutest messenger in Matrix | [Link](docs/configuring-playbook-client-fluffychat-web.md) |
@@ -75,12 +74,13 @@ Services that run on the server to make the various parts of your installation w
 | Name | Default? | Description | Documentation |
 | ---- | -------- | ----------- | ------------- |
 | [PostgreSQL](https://www.postgresql.org/)| ✅ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) |
 | [coturn](https://github.com/coturn/coturn) | ❌ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) |
 | [Traefik](https://doc.traefik.io/traefik/) | ✅ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. [Using your own webserver](docs/configuring-playbook-own-webserver.md) is also possible. | [Link](docs/configuring-playbook-traefik.md) |
 | [Let's Encrypt](https://letsencrypt.org/) | ✅ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) |
 | [Exim](https://www.exim.org/) | ✅ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) |
 | [coturn](https://github.com/coturn/coturn) | ❌ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) |
 | [ddclient](https://github.com/linuxserver/docker-ddclient) | ❌ | Dynamic DNS | [Link](docs/configuring-playbook-dynamic-dns.md) |
-| Matrix RTC stack | ❌ | Supporting components ([LiveKit Server](docs/configuring-playbook-livekit-server.md) and [LiveKit JWT Service](docs/configuring-playbook-livekit-jwt-service.md)) for in-app audio/video calls for Matrix clients | [Link](docs/configuring-playbook-matrix-rtc.md) |
+| [LiveKit Server](https://github.com/livekit/livekit) | ❌ | WebRTC server for audio/video calls | [Link](docs/configuring-playbook-livekit-server.md) |
 | [Livekit JWT Service](https://github.com/livekit/livekit-jwt-service) | ❌ | JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md) | [Link](docs/configuring-playbook-livekit-jwt-service.md) |
 ### Authentication
--- a/bin/check-examples-vars-migration-version.sh
+++ b/bin/check-examples-vars-migration-version.sh
@@ -1,35 +0,0 @@
 #!/bin/bash
 # SPDX-FileCopyrightText: 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # Ensures that the migration validated version in examples/vars.yml
 # matches the expected version in the matrix_playbook_migration role defaults.
 set -euo pipefail
 defaults_file="roles/custom/matrix_playbook_migration/defaults/main.yml"
 examples_file="examples/vars.yml"
 expected_version=$(grep -oP '^matrix_playbook_migration_expected_version:\s*"?\K[^"]+' "$defaults_file")
 examples_version=$(grep -oP '^matrix_playbook_migration_validated_version:\s*"?\K[^"]+' "$examples_file")
 if [ -z "$expected_version" ]; then
 	echo "ERROR: Could not extract matrix_playbook_migration_expected_version from $defaults_file"
 	exit 1
 fi
 if [ -z "$examples_version" ]; then
 	echo "ERROR: Could not extract matrix_playbook_migration_validated_version from $examples_file"
 	exit 1
 fi
 if [ "$expected_version" != "$examples_version" ]; then
 	echo "ERROR: Migration version mismatch!"
 	echo "  $defaults_file has expected version: $expected_version"
 	echo "  $examples_file has validated version: $examples_version"
 	echo ""
 	echo "Please update $examples_file to match."
 	exit 1
 fi
--- a/bin/rebuild-mautrix-meta-instagram.sh
+++ b/bin/rebuild-mautrix-meta-instagram.sh
--- a/docs/configuring-playbook-bot-baibot.md
+++ b/docs/configuring-playbook-bot-baibot.md
@@ -39,35 +39,16 @@ Depending on your current `vars.yml` file and desired configuration, **you may r
 To enable the bot, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 Authentication can be configured in one of two mutually-exclusive ways:
 - **Password authentication** (`matrix_bot_baibot_config_user_password`) - recommended for most playbook-managed setups, because it integrates with automatic user creation flow used by the playbook, and auto-creates the bot account
 - **Access-token authentication** (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) - useful for specific [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md)/OIDC setups where password authentication is not available or not desired
 Even when [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) is enabled, password authentication is still typically the best fit for baibot if you're using a playbook-managed bot account.
 For upstream details, see baibot's [🔐 Authentication](https://github.com/etkecc/baibot/blob/main/docs/configuration/authentication.md) documentation.
 ```yaml
 matrix_bot_baibot_enabled: true
 # Uncomment and adjust this part if you'd like to use a username different than the default
 # matrix_bot_baibot_config_user_mxid_localpart: baibot
 # Authentication mode (choose exactly one):
 #
 # 1) Password authentication (recommended for most setups)
 # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
 # If you'd like to change this password subsequently, see the details below.
 matrix_bot_baibot_config_user_password: 'PASSWORD_FOR_THE_BOT'
 # 2) Access-token authentication (for MAS/OIDC-enabled homeservers)
 # matrix_bot_baibot_config_user_access_token: 'YOUR_MAS_COMPATIBILITY_TOKEN_HERE'
 # matrix_bot_baibot_config_user_device_id: 'BAIBOT'
 #
 # You can generate a compatibility token for MAS with:
 # mas-cli manage issue-compatibility-token <username> [device_id]
 # An optional passphrase to use for backing up and recovering the bot's encryption keys.
 # You can create one with a command like `pwgen -s 64 1`.
 #
@@ -406,15 +387,13 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use
 **Notes**:
- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account when password authentication is used.
+- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account.
 - If you're using access-token authentication, the bot account must already exist and the configured token + device ID must match that account. This mode is mainly for MAS/OIDC setups where password-based bot login is not suitable.
 - The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
  `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. (This note applies to password authentication mode.)
+- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password.
 ## Usage
--- a/docs/configuring-playbook-client-sable.md
+++ b/docs/configuring-playbook-client-sable.md
@@ -1,71 +0,0 @@
 <!--
 SPDX-FileCopyrightText: 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 SPDX-FileCopyrightText: 2024 - 2026 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 # Setting up Sable (optional)
 The playbook can install and configure the [Sable](https://github.com/7w1/sable) Matrix web client for you.
 Sable is a web client focusing primarily on simple, elegant and secure interface. It can be installed alongside or instead of [Element Web](./configuring-playbook-client-element-web.md), [Cinny](./configuring-playbook-client-cinny.md) and others.
 ## Adjusting DNS records
 By default, this playbook installs Sable on the `sable.` subdomain (`sable.example.com`) and requires you to create a CNAME record for `sable`, which targets `matrix.example.com`.
 When setting, replace `example.com` with your own.
 ## Adjusting the playbook configuration
 To enable Sable, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 ```yaml
 sable_enabled: true
 ```
 ### Adjusting the Sable URL (optional)
 By tweaking the `sable_hostname` variable, you can easily make the service available at a **different hostname** than the default one.
 Example additional configuration for your `vars.yml` file:
 ```yaml
 # Switch to a different domain (`app.example.com`) than the default one (`sable.example.com`)
 sable_hostname: "app.{{ matrix_domain }}"
 # Expose under the /sable subpath
 # sable_path_prefix: /sable
 ```
 After changing the domain, **you may need to adjust your DNS** records to point the Sable domain to the Matrix server.
 **Note**: while there is a `sable_path_prefix` variable for changing the path where Sable is served, overriding it is [not possible](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3701), because Sable requires an application rebuild (with a tweaked build config) to be functional under a custom path. You'd need to serve Sable at a dedicated subdomain.
 ### Extending the configuration
 There are some additional things you may wish to configure about the component.
 Take a look at:
 - `roles/galaxy/sable/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
 - `roles/galaxy/sable/templates/config.json.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `sable_configuration_extension_json` variable
 ## Installing
 After configuring the playbook and [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
 ## Troubleshooting
 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-client-sable`.
--- a/docs/configuring-playbook-livekit-server.md
+++ b/docs/configuring-playbook-livekit-server.md
@@ -15,7 +15,7 @@ LiveKit Server is an open source project that provides scalable, multi-user conf
 The [Ansible role for LiveKit Server](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server) is developed and maintained by [the MASH (mother-of-all-self-hosting) project](https://github.com/mother-of-all-self-hosting). For details about configuring LiveKit Server, you can check them via:
 - 🌐 [the role's documentation at the MASH project](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server/blob/main/docs/configuring-livekit-server.md) online
- 📁 `roles/galaxy/livekit_server/docs/configuring-livekit-server.md` locally, if you have [fetched the Ansible roles](installing.md#update-ansible-roles)
+- 📁 `roles/galaxy/livekit-server/docs/configuring-livekit-server.md` locally, if you have [fetched the Ansible roles](installing.md#update-ansible-roles)
 ## Adjusting firewall rules
@@ -29,9 +29,7 @@ To ensure LiveKit Server functions correctly, the following firewall rules and p
 - `5350/tcp`: TURN/TCP. Also see the [Limitations](#limitations) section below.
- `30000-30020/udp`: TURN relay range used by LiveKit's embedded TURN server.
+💡 The suggestions above are inspired by the upstream [Ports and Firewall](https://docs.livekit.io/home/self-hosting/ports-firewall/) documentation based on how LiveKit is configured in the playbook. If you've using custom configuration for the LiveKit Server role, you may need to adjust the firewall rules accordingly.
 💡 The suggestions above are inspired by the upstream [Ports and Firewall](https://docs.livekit.io/home/self-hosting/ports-firewall/) documentation based on how LiveKit is configured in the playbook. If you're using custom configuration for the LiveKit Server role, you may need to adjust firewall rules accordingly.
 ## TURN TLS handling
--- a/docs/configuring-playbook-matrix-authentication-service.md
+++ b/docs/configuring-playbook-matrix-authentication-service.md
@@ -398,8 +398,6 @@ To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2
 just run-tags matrix-authentication-service-mas-cli-syn2mas
 ```
 After `syn2mas` completes, Synapse will intentionally remain stopped to avoid new registrations or other authentication changes from being accepted before the migration is completed. Continue with the next steps in this guide before re-running the installation.
 Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again.").
 ## Verify that Matrix Authentication Service is installed correctly
--- a/docs/configuring-playbook-matrix-rtc.md
+++ b/docs/configuring-playbook-matrix-rtc.md
@@ -17,8 +17,8 @@ The Matrix RTC stack is a set of supporting components ([LiveKit Server](configu
 - A [Synapse](configuring-playbook-synapse.md) homeserver (see the warning below)
 - Various experimental features for the Synapse homeserver which Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) (automatically done when Element Call is enabled)
- A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack))
+- A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
- The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack))
+- The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
 - A client compatible with Element Call. As of 2025-03-15, that's just [Element Web](configuring-playbook-client-element-web.md) and the Element X mobile clients (iOS and Android).
 > [!WARNING]
--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@@ -178,11 +178,11 @@ Name | Description
 `matrix_metrics_exposure_http_basic_auth_enabled`|Set this to `true` to protect all `https://matrix.example.com/metrics/*` endpoints with [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (see the other variables below for supplying the actual credentials).
 `matrix_metrics_exposure_http_basic_auth_users`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs.
 `prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network).
-`prometheus_node_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.example.com/metrics/node-exporter`.
+`prometheus_node_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.example.com/metrics/node-exporter`.
 `prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) (locally, on the container network).
-`prometheus_postgres_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) metrics on `https://matrix.example.com/metrics/postgres-exporter`.
+`prometheus_postgres_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) metrics on `https://matrix.example.com/metrics/postgres-exporter`.
 `prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) (locally, on the container network).
-`prometheus_nginxlog_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`.
+`prometheus_nginxlog_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`.
 ### Expose metrics of other services/roles
--- a/docs/configuring-playbook-synapse-s3-storage-provider.md
+++ b/docs/configuring-playbook-synapse-s3-storage-provider.md
@@ -177,8 +177,6 @@ By default, we periodically ensure that all local files are uploaded to S3 and a
 - … invoked via the `matrix-synapse-s3-storage-provider-migrate.service` service
 - … triggered by the `matrix-synapse-s3-storage-provider-migrate.timer` timer, every day at 05:00
 The same `migrate` script also prunes empty directories in the local media repository (`remote_content` and `remote_thumbnail`) after upload/delete operations.
 So… you don't need to perform any maintenance yourself.
 The schedule is defined in the format of systemd timer calendar. To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):
--- a/docs/configuring-playbook-synapse.md
+++ b/docs/configuring-playbook-synapse.md
@@ -76,7 +76,7 @@ The only thing you **cannot** do is mix [generic workers](#generic-workers) and
 When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `postgres_max_connections` variable.
-The `matrix-synapse` role also manages the `matrix-synapse-reverse-proxy-companion` component for load-balancing with workers. This component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly.
+A separate Ansible role (`matrix-synapse-reverse-proxy-companion`) and component handles load-balancing for workers. This role/component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly.
 In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/element-hq/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`.
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@@ -25,7 +25,7 @@ and configure its IP-related settings in the section below.
 If you'd like coturn to stay disabled even when Jitsi is enabled, or if you prefer to use an external TURN provider, see [disabling coturn](#disabling-coturn) section below.
-When Coturn is not enabled, homeservers (like Synapse) would not point to TURN servers and *legacy* audio/video call functionality may fail. If you're using [Matrix RTC](configuring-playbook-matrix-rtc.md) (for [Element Call](configuring-playbook-element-call.md)), you likely don't have a need to enable coturn.
+When Coturn is not enabled, homeservers (like Synapse) would not point to TURN servers and *legacy* audio/video call functionality may fail. If you're using [Matrix RTC](configuring-playbook-rtc.md) (for [Element Call](configuring-playbook-element-call.md)), you likely don't have a need to enable coturn.
 ## Adjusting firewall rules
@@ -37,8 +37,6 @@ To ensure Coturn functions correctly, the following firewall rules and port forw
 - `5349/udp`: TURN over UDP
 - `49152-49172/udp`: TURN/UDP relay range
 If LiveKit's embedded TURN is enabled at the same time (for MatrixRTC/Element Call), keep the Coturn relay range distinct from LiveKit's relay range (`livekit_server_config_turn_relay_range_start`/`livekit_server_config_turn_relay_range_end`).
 💡 Docker configures the server's internal firewall for you. In most cases, you don't need to do anything special on the host itself.
 ## Adjusting the playbook configuration
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -87,8 +87,6 @@ Web clients for Matrix that you can host on your own domains.
 - [Setting up Cinny](configuring-playbook-client-cinny.md), if you've enabled [Cinny](https://github.com/ajbura/cinny), a web client focusing primarily on simple, elegant and secure interface
 - [Setting up Sable](configuring-playbook-client-sable.md), if you've enabled [Sable](https://github.com/7w1/sable), a web client focusing primarily on simple, elegant and secure interface
 - [Setting up SchildiChat Web](configuring-playbook-client-schildichat-web.md), if you've enabled [SchildiChat Web](https://schildi.chat/), a web client based on [Element Web](https://element.io/) with some extras and tweaks
 - [Setting up FluffyChat Web](configuring-playbook-client-fluffychat-web.md), if you've enabled [FluffyChat Web](https://github.com/krille-chan/fluffychat), a cute cross-platform messenger (web, iOS, Android) for Matrix written in [Flutter](https://flutter.dev/)
--- a/docs/container-images.md
+++ b/docs/container-images.md
@@ -39,7 +39,6 @@ Web clients for Matrix that you can host on your own domains.
 | [Element Web](configuring-playbook-client-element-web.md) | [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) | ✅ | Default Matrix web client, configured to connect to your own Synapse server |
 | [Hydrogen](configuring-playbook-client-hydrogen.md) | [element-hq/hydrogen-web](https://ghcr.io/element-hq/hydrogen-web) | ❌ | Lightweight Matrix client with legacy and mobile browser support |
 | [Cinny](configuring-playbook-client-cinny.md) | [ajbura/cinny](https://hub.docker.com/r/ajbura/cinny) | ❌ | Simple, elegant and secure web client |
 | [Sable](configuring-playbook-client-sable.md) | [7w1/sable](https://ghcr.io/7w1/sable) | ❌ | Simple, elegant and secure web client |
 | [SchildiChat Web](configuring-playbook-client-schildichat-web.md) | [etke.cc/schildichat-web](https://ghcr.io/etkecc/schildichat-web) | ❌ | Based on Element Web, with a more traditional instant messaging experience |
 ## Server Components
--- a/docs/self-building.md
+++ b/docs/self-building.md
@@ -30,7 +30,6 @@ Possibly outdated list of roles where self-building the Docker image is currentl
 - `matrix-client-element`
 - `hydrogen`
 - `cinny`
 - `sable`
 - `matrix-registration`
 - `coturn`
 - `matrix-corporal`
--- a/examples/vars.yml
+++ b/examples/vars.yml
@@ -1,9 +1,4 @@
 ---
 # This variable acknowledges that you've reviewed breaking changes up to this version.
 # The playbook will fail if this is outdated, guiding you through what changed.
 # See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
 matrix_playbook_migration_validated_version: v2026.03.23.0
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
 #
--- a/flake.nix
+++ b/flake.nix
@@ -19,7 +19,6 @@
          devShells.default = mkShell {
            buildInputs = [
              just
              mise
              ansible
            ];
            shellHook = ''
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -278,7 +278,7 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': (backup_borg_identifier + '.timer'),
      'priority': 5000,
-      'restart_necessary': (backup_borg_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'backup', 'borg'],
    }] if backup_borg_enabled else [])
    +
@@ -383,14 +383,14 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': 'matrix-appservice-kakaotalk.service',
      'priority': 2000,
-      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'bridges', 'appservice-kakaotalk'],
    }] if matrix_appservice_kakaotalk_enabled else [])
    +
    ([{
      'name': 'matrix-appservice-kakaotalk-node.service',
      'priority': 1900,
-      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'bridges', 'appservice-kakaotalk', 'appservice-kakaotalk-node'],
    }] if matrix_appservice_kakaotalk_enabled else [])
    +
@@ -404,14 +404,14 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': 'matrix-wechat.service',
      'priority': 2000,
-      'restart_necessary': (matrix_wechat_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'bridges', 'wechat'],
    }] if matrix_wechat_enabled else [])
    +
    ([{
      'name': 'matrix-wechat-agent.service',
      'priority': 2000,
-      'restart_necessary': (matrix_wechat_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'bridges', 'wechat'],
    }] if matrix_wechat_enabled else [])
    +
@@ -576,13 +576,6 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'clients', 'cinny', 'client-cinny'],
    }] if cinny_enabled else [])
    +
    ([{
      'name': (sable_identifier + '.service'),
      'priority': 2000,
      'restart_necessary': (sable_restart_necessary | bool),
      'groups': ['matrix', 'clients', 'sable', 'client-sable'],
    }] if sable_enabled else [])
    +
    ([{
      'name': 'matrix-client-element.service',
      'priority': 2000,
@@ -604,13 +597,6 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'clients', 'schildichat', 'client-schildichat'],
    }] if matrix_client_schildichat_enabled else [])
    +
    ([{
      'name': 'matrix-client-commet.service',
      'priority': 2000,
      'restart_necessary': (matrix_client_commet_restart_necessary | bool),
      'groups': ['matrix', 'clients', 'commet', 'client-commet'],
    }] if matrix_client_commet_enabled else [])
    +
    ([{
      'name': 'matrix-client-fluffychat.service',
      'priority': 2000,
@@ -621,12 +607,7 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': ('matrix-' + matrix_homeserver_implementation + '.service'),
      'priority': matrix_homeserver_systemd_service_manager_priority,
-      'restart_necessary': (
+      'restart_necessary': true,
        (matrix_conduit_restart_necessary | bool) if matrix_homeserver_implementation == 'conduit'
        else (matrix_continuwuity_restart_necessary | bool) if matrix_homeserver_implementation == 'continuwuity'
        else (matrix_dendrite_restart_necessary | bool) if matrix_homeserver_implementation == 'dendrite'
        else true
      ),
      'groups': ['matrix', 'homeservers', matrix_homeserver_implementation],
    }] if matrix_homeserver_enabled else [])
    +
@@ -689,28 +670,28 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': (jitsi_identifier + '-web.service'),
      'priority': 4200,
-      'restart_necessary': (jitsi_web_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'jitsi', 'jitsi-web'],
    }] if jitsi_enabled else [])
    +
    ([{
      'name': (jitsi_identifier + '-prosody.service'),
      'priority': 4000,
-      'restart_necessary': (jitsi_prosody_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'jitsi', 'jitsi-prosody'],
    }] if jitsi_enabled else [])
    +
    ([{
      'name': (jitsi_identifier + '-jicofo.service'),
      'priority': 4100,
-      'restart_necessary': (jitsi_jicofo_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'jitsi', 'jitsi-jicofo'],
    }] if jitsi_enabled else [])
    +
    ([{
      'name': (jitsi_identifier + '-jvb.service'),
      'priority': 4100,
-      'restart_necessary': (jitsi_jvb_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'jitsi', 'jitsi-jvb'],
    }] if jitsi_enabled else [])
    +
@@ -724,7 +705,7 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': (matrix_media_repo_identifier + '.service'),
      'priority': 4000,
-      'restart_necessary': (matrix_media_repo_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'matrix-media-repo'],
    }] if matrix_media_repo_enabled else [])
    +
@@ -808,7 +789,7 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': 'matrix-element-call.service',
      'priority': 4000,
-      'restart_necessary': (matrix_element_call_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'element-call'],
    }] if matrix_element_call_enabled else [])
    +
@@ -843,14 +824,14 @@ devture_systemd_service_manager_services_list_auto: |
    ([{
      'name': 'matrix-goofys.service',
      'priority': 800,
-      'restart_necessary': (matrix_goofys_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix', 'goofys'],
    }] if (matrix_synapse_enabled and matrix_s3_media_store_enabled) else [])
    +
    ([{
      'name': 'matrix-synapse-s3-storage-provider-migrate.timer',
      'priority': 5000,
-      'restart_necessary': (matrix_synapse_s3_storage_provider_restart_necessary | bool),
+      'restart_necessary': true,
      'groups': ['matrix'],
    }] if (matrix_synapse_enabled and matrix_synapse_ext_synapse_s3_storage_provider_enabled) else [])
    +
@@ -1084,18 +1065,9 @@ matrix_authentication_service_enabled: false
 matrix_authentication_service_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_authentication_service_path_prefix: /auth
-matrix_playbook_matrix_authentication_service_uses_managed_postgres: "{{ postgres_enabled }}"
+matrix_authentication_service_config_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_authentication_service_config_database_host: "{{ matrix_authentication_service_config_database_socket_path if matrix_authentication_service_config_database_socket_enabled else (postgres_connection_hostname if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '') }}"
 matrix_authentication_service_config_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mas.db') | hash('sha512') | to_uuid }}"
 # unix socket connection
 matrix_authentication_service_config_database_socket_enabled: "{{ matrix_playbook_matrix_authentication_service_uses_managed_postgres and postgres_container_unix_socket_enabled }}"
 # path to the Postgres socket's parent dir inside the MAS container
 matrix_authentication_service_config_database_socket_path: "{{ '/run-postgres' if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '' }}"
 # path to the Postgres socket on the host
 matrix_authentication_service_config_database_socket_path_host: "{{ postgres_run_path if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '' }}"
 matrix_authentication_service_config_matrix_homeserver: "{{ matrix_domain }}"
 matrix_authentication_service_config_matrix_secret: "{{ (matrix_homeserver_generic_secret_key + ':mas.hs.secret') | hash('sha512') | to_uuid }}"
 matrix_authentication_service_config_matrix_endpoint: "{{ matrix_homeserver_container_url }}"
@@ -1128,7 +1100,7 @@ matrix_authentication_service_container_network: "{{ matrix_homeserver_container
 matrix_authentication_service_container_additional_networks_auto: |-
  {{
    (
-      ([postgres_container_network] if (matrix_playbook_matrix_authentication_service_uses_managed_postgres and not matrix_authentication_service_config_database_socket_enabled) else [])
+      ([postgres_container_network] if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_authentication_service_config_email_transport == 'smtp' and matrix_authentication_service_config_email_hostname == exim_relay_identifier and matrix_authentication_service_container_network != exim_relay_container_network) else [])
      +
@@ -1153,7 +1125,7 @@ matrix_authentication_service_container_labels_internal_compatibility_layer_entr
 # We'll put our dependency on the homeserver as a "want", rather than a requirement.
 matrix_authentication_service_systemd_required_services_list_auto: |
  {{
-    ([postgres_identifier ~ '.service'] if matrix_playbook_matrix_authentication_service_uses_managed_postgres else [])
+    ([postgres_identifier ~ '.service'] if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else [])
  }}
 # See more information about this homeserver "want" in the comment for `matrix_authentication_service_systemd_required_services_list_auto` above.
@@ -1164,12 +1136,9 @@ matrix_authentication_service_systemd_wanted_services_list_auto: |
    ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_authentication_service_config_email_transport == 'smtp' and matrix_authentication_service_config_email_hostname == exim_relay_identifier and matrix_authentication_service_container_network != exim_relay_container_network) else [])
  }}
-matrix_authentication_service_syn2mas_container_network: "{{ postgres_container_network if (matrix_playbook_matrix_authentication_service_uses_managed_postgres and not matrix_authentication_service_config_database_socket_enabled) else matrix_authentication_service_container_network }}"
+matrix_authentication_service_syn2mas_container_network: "{{ postgres_container_network if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else matrix_authentication_service_container_network }}"
 matrix_authentication_service_syn2mas_synapse_homeserver_config_path: "{{ matrix_synapse_config_dir_path + '/homeserver.yaml' if matrix_synapse_enabled else '' }}"
 matrix_authentication_service_syn2mas_synapse_database_socket_enabled: "{{ matrix_synapse_database_socket_enabled if matrix_synapse_enabled else false }}"
 matrix_authentication_service_syn2mas_synapse_database_socket_path: "{{ matrix_synapse_database_socket_path if matrix_synapse_enabled else '' }}"
 matrix_authentication_service_syn2mas_synapse_database_socket_path_host: "{{ matrix_synapse_database_socket_path_host if matrix_synapse_enabled else '' }}"
 ######################################################################
 #
@@ -3288,9 +3257,6 @@ matrix_pantalaimon_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }
 ######################################################################
 backup_borg_enabled: false
 backup_borg_mariadb_enabled: false
 backup_borg_mysql_enabled: false
 backup_borg_mongodb_enabled: false
 backup_borg_identifier: matrix-backup-borg
 backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
@@ -3620,9 +3586,6 @@ etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
 etherpad_uid: "{{ matrix_user_uid }}"
 etherpad_gid: "{{ matrix_user_gid }}"
 etherpad_framing_enabled: "{{ jitsi_enabled }}"
 etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
@@ -4017,7 +3980,7 @@ postgres_managed_databases_auto: |
      'name': matrix_synapse_database_database,
      'username': matrix_synapse_database_user,
      'password': matrix_synapse_database_password,
-    }] if (matrix_synapse_enabled and matrix_playbook_synapse_uses_managed_postgres) else [])
+    }] if (matrix_synapse_enabled and matrix_synapse_database_host == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_dendrite_federation_api_database,
@@ -4061,7 +4024,7 @@ postgres_managed_databases_auto: |
      'name': matrix_authentication_service_config_database_database,
      'username': matrix_authentication_service_config_database_username,
      'password': matrix_authentication_service_config_database_password,
-    }] if (matrix_authentication_service_enabled and matrix_playbook_matrix_authentication_service_uses_managed_postgres) else [])
+    }] if (matrix_authentication_service_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_bot_matrix_reminder_bot_database_name,
@@ -4422,7 +4385,6 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers
 matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_client_element_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_client_element_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
@@ -4465,36 +4427,6 @@ matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if ma
 #
 ######################################################################
 ######################################################################
 #
 # matrix-client-commet
 #
 ######################################################################
 matrix_client_commet_enabled: false
 matrix_client_commet_hostname: "commet.{{ matrix_domain }}"
 matrix_client_commet_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_client_commet_container_network: "{{ matrix_addons_container_network }}"
 matrix_client_commet_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_client_commet_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
 matrix_client_commet_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_client_commet_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_client_commet_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_client_commet_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_client_commet_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
 matrix_client_commet_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
 ######################################################################
 #
 # /matrix-client-commet
 #
 ######################################################################
 ######################################################################
 #
 # hydrogen
@@ -4591,54 +4523,6 @@ cinny_hostname: "{{ matrix_server_fqn_cinny }}"
 #
 ######################################################################
 ######################################################################
 #
 # sable
 #
 ######################################################################
 sable_enabled: false
 sable_identifier: matrix-client-sable
 sable_uid: "{{ matrix_user_uid }}"
 sable_gid: "{{ matrix_user_gid }}"
 sable_container_image_registry_prefix: "{{ 'localhost/' if sable_container_image_self_build else sable_container_image_registry_prefix_upstream }}"
 sable_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else sable_container_image_registry_prefix_upstream_default }}"
 sable_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 sable_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8771') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 sable_container_network: "{{ matrix_addons_container_network }}"
 sable_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (sable_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
 sable_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 sable_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 sable_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 sable_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 sable_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
 sable_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
 sable_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 sable_default_hs_url: "{{ matrix_homeserver_url }}"
 sable_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 sable_base_path: "{{ matrix_base_data_path }}/client-sable"
 sable_hostname: "{{ matrix_server_fqn_sable }}"
 ######################################################################
 #
 # /sable
 #
 ######################################################################
 ######################################################################
 #
 # matrix-client-schildichat
@@ -4765,9 +4649,9 @@ matrix_synapse_container_additional_networks_auto: |
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
-      ([postgres_container_network] if (matrix_playbook_synapse_uses_managed_postgres and (not matrix_synapse_database_socket_enabled) and postgres_container_network != matrix_synapse_container_network) else [])
+      ([postgres_container_network] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
      +
-      ([valkey_container_network] if (matrix_playbook_synapse_uses_managed_valkey and (not matrix_synapse_redis_path_enabled) and valkey_container_network != matrix_synapse_container_network) else [])
+      ([valkey_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
      +
@@ -4804,24 +4688,12 @@ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{
 matrix_synapse_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 # Playbook-level Synapse topology wiring helpers.
 matrix_playbook_synapse_uses_managed_postgres: "{{ postgres_enabled }}"
 matrix_playbook_synapse_uses_managed_valkey: "{{ matrix_synapse_redis_enabled and valkey_enabled }}"
 matrix_playbook_synapse_auto_compressor_uses_managed_postgres: "{{ matrix_playbook_synapse_uses_managed_postgres and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host }}"
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
-matrix_synapse_database_host: "{{ postgres_connection_hostname if matrix_playbook_synapse_uses_managed_postgres else '' }}"
+matrix_synapse_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_synapse_database_password: "{{ (matrix_homeserver_generic_secret_key + ':synapse.db') | hash('sha512') | to_uuid }}"
 # unix socket connection
 matrix_synapse_database_socket_enabled: "{{ matrix_playbook_synapse_uses_managed_postgres and postgres_container_unix_socket_enabled }}"
 # path to the Postgres socket's parent dir inside the Synapse container
 matrix_synapse_database_socket_path: "{{ '/run-postgres' if matrix_playbook_synapse_uses_managed_postgres else '' }}"
 # path to the Postgres socket on the host, using Postgres
 matrix_synapse_database_socket_path_host: "{{ postgres_run_path if matrix_playbook_synapse_uses_managed_postgres else '' }}"
 matrix_synapse_macaroon_secret_key: "{{ (matrix_homeserver_generic_secret_key + ':synapse.mac') | hash('sha512') | to_uuid }}"
 # We do not enable TLS in Synapse by default, since it's handled by Traefik.
@@ -4852,9 +4724,9 @@ matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled
 matrix_synapse_systemd_required_services_list_auto: |
  {{
-    ([postgres_identifier ~ '.service'] if (matrix_playbook_synapse_uses_managed_postgres and postgres_container_network != matrix_synapse_container_network) else [])
+    ([postgres_identifier ~ '.service'] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
    +
-    ([valkey_identifier ~ '.service'] if matrix_playbook_synapse_uses_managed_valkey else [])
+    ([valkey_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
    +
    (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
    +
@@ -4870,17 +4742,8 @@ matrix_synapse_systemd_wanted_services_list_auto: |
 # Synapse workers (used for parallel load-scaling) need Redis for IPC.
 matrix_synapse_redis_enabled: "{{ valkey_enabled }}"
-matrix_synapse_redis_host: "{{ valkey_identifier if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+matrix_synapse_redis_host: "{{ valkey_identifier if valkey_enabled else '' }}"
-matrix_synapse_redis_password: "{{ valkey_connection_password if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+matrix_synapse_redis_password: "{{ valkey_connection_password if valkey_enabled else '' }}"
 # unix socket connection
 matrix_synapse_redis_path_enabled: "{{ matrix_playbook_synapse_uses_managed_valkey }}"
 # path to the Redis socket's parent dir inside the Synapse container
 matrix_synapse_redis_path: "{{ '/run-valkey' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
 # redis socket filename
 matrix_synapse_redis_path_socket: "{{ '/valkey.sock' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
 # path to the Redis socket on the host, using Valkey
 matrix_synapse_redis_path_host: "{{ valkey_run_path if matrix_playbook_synapse_uses_managed_valkey else '' }}"
 matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
 matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}"
@@ -4909,8 +4772,6 @@ matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_
 matrix_synapse_experimental_features_msc4140_enabled: "{{ matrix_rtc_enabled }}"
 matrix_synapse_experimental_features_msc4143_enabled: "{{ matrix_rtc_enabled }}"
 matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
 # Disable password authentication when delegating authentication to Matrix Authentication Service.
@@ -4927,32 +4788,6 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matr
 # so it stays in sync automatically.
 matrix_synapse_systemd_service_post_start_delay_seconds: "{{ (traefik_config_providers_providersThrottleDuration_seconds | int + 1) if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] else 0 }}"
 matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}"
 matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ prometheus_nginxlog_exporter_enabled }}"
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (prometheus_nginxlog_exporter_identifier | string +':'+ prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
 matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([prometheus_nginxlog_exporter_container_network] if (prometheus_nginxlog_exporter_enabled and prometheus_nginxlog_exporter_container_network != matrix_synapse_reverse_proxy_companion_container_network) else [])
      +
      ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network])
    ) | unique
  }}
 ######################################################################
 #
 # /matrix-synapse
@@ -4978,7 +4813,7 @@ matrix_synapse_auto_compressor_container_image_registry_prefix_upstream: "{{ mat
 matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
-matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else 'matrix-synapse-auto-compressor') }}"
+matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if (postgres_enabled and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host and matrix_synapse_database_host == postgres_connection_hostname) else 'matrix-synapse-auto-compressor') }}"
 matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}"
 matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}"
@@ -4988,7 +4823,7 @@ matrix_synapse_auto_compressor_database_name: "{{ matrix_synapse_database_databa
 matrix_synapse_auto_compressor_systemd_required_services_list_auto: |
  {{
-    ([postgres_identifier ~ '.service'] if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else [])
+    ([postgres_identifier ~ '.service'] if (matrix_synapse_auto_compressor_container_network == postgres_container_network) else [])
  }}
 ######################################################################
@@ -4998,6 +4833,81 @@ matrix_synapse_auto_compressor_systemd_required_services_list_auto: |
 ######################################################################
 ######################################################################
 #
 # matrix-synapse-reverse-proxy-companion
 #
 ######################################################################
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}"
 matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}"
 matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([prometheus_nginxlog_exporter_container_network] if (prometheus_nginxlog_exporter_enabled and prometheus_nginxlog_exporter_container_network != matrix_synapse_reverse_proxy_companion_container_network) else [])
      +
      ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network])
    ) | unique
  }}
 matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
 matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
 matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
 matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: "{{ matrix_synapse_workers_room_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: "{{ matrix_synapse_workers_room_worker_federation_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: "{{ matrix_synapse_workers_sync_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: "{{ matrix_synapse_workers_client_reader_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: "{{ matrix_synapse_workers_federation_reader_federation_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}"
 matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}"
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ prometheus_nginxlog_exporter_enabled }}"
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (prometheus_nginxlog_exporter_identifier | string +':'+ prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
 ######################################################################
 #
 # /matrix-synapse-reverse-proxy-companion
 #
 ######################################################################
 ######################################################################
 #
 # matrix-synapse-admin
@@ -5228,10 +5138,11 @@ prometheus_node_exporter_container_network: "{{ matrix_monitoring_container_netw
 prometheus_node_exporter_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
-prometheus_node_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_node_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_node_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_node_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_node_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
+prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
@@ -5267,13 +5178,14 @@ prometheus_postgres_exporter_container_additional_networks: |
  {{
    ([postgres_container_network] if (postgres_enabled and prometheus_postgres_exporter_database_hostname == postgres_connection_hostname and prometheus_postgres_exporter_container_network != postgres_container_network) else [])
    +
-    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and prometheus_postgres_exporter_container_labels_metrics_enabled else [])
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and prometheus_postgres_exporter_container_labels_traefik_enabled else [])
  }}
-prometheus_postgres_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_postgres_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_postgres_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_postgres_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_postgres_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
+prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_postgres_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_postgres_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
@@ -5317,13 +5229,14 @@ prometheus_nginxlog_exporter_container_network_deletion_enabled: false
 prometheus_nginxlog_exporter_container_additional_networks_auto: |-
  {{
-    ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and prometheus_nginxlog_exporter_container_labels_metrics_enabled) else [])
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and prometheus_nginxlog_exporter_container_labels_traefik_enabled) else [])
  }}
-prometheus_nginxlog_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_nginxlog_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_nginxlog_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_nginxlog_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_nginxlog_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_nginxlog_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_nginxlog_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
+prometheus_nginxlog_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
@@ -5786,8 +5699,6 @@ matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matr
 matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 matrix_continuwuity_config_rtc_foci_livekit_url: "{{ matrix_livekit_jwt_service_public_url if matrix_livekit_jwt_service_enabled else '' }}"
 matrix_continuwuity_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_continuwuity_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_continuwuity_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
@@ -5820,7 +5731,7 @@ matrix_user_creator_users_auto: |
      'username': matrix_bot_baibot_config_user_mxid_localpart,
      'initial_password': matrix_bot_baibot_config_user_password,
      'initial_type': 'bot',
-    }] if matrix_bot_baibot_enabled and ((matrix_bot_baibot_config_user_password | default('', true) | string | length) > 0) else [])
+    }] if matrix_bot_baibot_enabled else [])
    +
    ([{
      'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart,
@@ -5903,10 +5814,7 @@ matrix_user_verification_service_container_http_host_bind_port: "{{  '' if (jits
 # URL exposed in the docker network
 matrix_user_verification_service_container_url: "http://{{  matrix_user_verification_service_container_name }}:3000"
-# Using `matrix_addons_homeserver_client_api_url` would not work here,
+matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
 # because `matrix-traefik:8008` (matrix-internal-client-api) does not expose any `/_synapse` paths.
 # UVS accesses `/_synapse/admin/v1/rooms` API to check room membership.
 matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}"
 # We connect via the container network (private IPs), so we need to disable IP checks
 matrix_user_verification_service_uvs_disable_ip_blacklist: "{{ matrix_synapse_enabled }}"
--- a/i18n/requirements.txt
+++ b/i18n/requirements.txt
@@ -1,33 +1,33 @@
 alabaster==1.0.0
 babel==2.18.0
 certifi==2026.2.25
-charset-normalizer==3.4.6
+charset-normalizer==3.4.4
 click==8.3.1
 docutils==0.22.4
 idna==3.11
-imagesize==2.0.0
+imagesize==1.4.1
 Jinja2==3.1.6
-linkify-it-py==2.1.0
+linkify-it-py==2.0.3
 markdown-it-py==4.0.0
 MarkupSafe==3.0.3
 mdit-py-plugins==0.5.0
 mdurl==0.1.2
 myst-parser==5.0.0
 packaging==26.0
-Pygments==2.20.0
+Pygments==2.19.2
 PyYAML==6.0.3
-requests==2.33.1
+requests==2.32.5
-setuptools==82.0.1
+setuptools==82.0.0
 snowballstemmer==3.0.1
 Sphinx==9.1.0
 sphinx-intl==2.3.2
-sphinx-markdown-builder==0.6.10
+sphinx-markdown-builder==0.6.9
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0
 sphinxcontrib-jsmath==1.0.1
 sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
-tabulate==0.10.0
+tabulate==0.9.0
-uc-micro-py==2.0.0
+uc-micro-py==1.0.3
 urllib3==2.6.3
--- a/50
+++ b/50
@@ -4,11 +4,6 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # mise (dev tool version manager)
 mise_data_dir := env("MISE_DATA_DIR", justfile_directory() / "var/mise")
 mise_trusted_config_paths := justfile_directory() / "mise.toml"
 prek_home := env("PREK_HOME", justfile_directory() / "var/prek")
 # Shows help
 default:
    @{{ just_executable() }} --list --justfile "{{ justfile() }}"
@@ -44,39 +39,9 @@ update-playbook-only:
    @git pull -q
    @-git stash pop -q
-# Invokes mise with the project-local data directory
+# Runs ansible-lint against all roles in the playbook
-mise *args: _ensure_mise_data_directory
+lint:
-    #!/bin/sh
+    ansible-lint
    export MISE_DATA_DIR="{{ mise_data_dir }}"
    export MISE_TRUSTED_CONFIG_PATHS="{{ mise_trusted_config_paths }}"
    export MISE_YES=1
    export PREK_HOME="{{ prek_home }}"
    mise {{ args }}
 # Runs prek (pre-commit hooks manager) with the given arguments
 prek *args: _ensure_mise_tools_installed
    @{{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek {{ args }}
 # Runs pre-commit hooks on staged files
 prek-run-on-staged *args: _ensure_mise_tools_installed
    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run {{ args }}
 # Runs pre-commit hooks on all files
 prek-run-on-all *args: _ensure_mise_tools_installed
    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run --all-files {{ args }}
 # Installs the git pre-commit hook
 prek-install-git-pre-commit-hook: _ensure_mise_tools_installed
    #!/usr/bin/env sh
    set -eu
    {{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek install
    hook="{{ justfile_directory() }}/.git/hooks/pre-commit"
    # The installed git hook runs later under Git, outside this just/mise environment.
    # Injecting PREK_HOME keeps prek's cache under var/prek instead of a global home dir,
    # which is more predictable and works better in sandboxed tools like Codex/OpenCode.
    if [ -f "$hook" ] && ! grep -q '^export PREK_HOME=' "$hook"; then
        sed -i '2iexport PREK_HOME="{{ prek_home }}"' "$hook"
    fi
 # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
 install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)
@@ -119,12 +84,3 @@ stop-group group *extra_args:
 # Rebuilds the mautrix-meta-instagram Ansible role using the mautrix-meta-messenger role as a source
 rebuild-mautrix-meta-instagram:
    /bin/bash "{{ justfile_directory() }}/bin/rebuild-mautrix-meta-instagram.sh" "{{ justfile_directory() }}/roles/custom"
 # Internal - ensures var/mise and var/prek directories exist
 _ensure_mise_data_directory:
    @mkdir -p "{{ mise_data_dir }}"
    @mkdir -p "{{ prek_home }}"
 # Internal - ensures mise tools are installed
 _ensure_mise_tools_installed: _ensure_mise_data_directory
    @{{ just_executable() }} --justfile "{{ justfile() }}" mise install --quiet
--- a/mise.toml
+++ b/mise.toml
@@ -1,9 +0,0 @@
 # SPDX-FileCopyrightText: 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [tools]
 prek = "0.3.2"
 [settings]
 yes = true
--- a/requirements.yml
+++ b/requirements.yml
@@ -4,20 +4,20 @@
  version: v1.0.0-6
  name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.3-2.1.3-2
+  version: v1.4.3-2.1.1-1
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.11.1-1
+  version: v4.10.5-0
  name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-4
+  version: v0.4.2-3
  name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
-  version: v4.9.0-1
+  version: v4.9.0-0
  name: coturn
  activation_prefix: coturn_
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
-  version: v4.0.0-2
+  version: v4.0.0-1
  name: ddclient
  activation_prefix: ddclient_
 - src: git+https://github.com/geerlingguy/ansible-role-docker
@@ -27,28 +27,28 @@
  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
  name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.1-5
+  version: v2.6.1-1
  name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.99.1-r0-2-0
+  version: v4.98.1-r0-2-3
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-9
+  version: v11.6.5-7
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
-  version: v0.5.1-2
+  version: v0.5.1-1
  name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10888-0
+  version: v10741-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.10.1-0
+  version: v1.9.11-2
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.21.0-0
+  version: v2.17.0-1
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
-  version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
+  version: 8630e4f1749bcb659c412820f754473f09055052
  name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
@@ -57,41 +57,38 @@
  version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.3-4
+  version: v18.2-2
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v18-2
+  version: v18-1
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.10.0-1
+  version: v3.9.1-1
  name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-nginxlog-exporter.git
-  version: v1.10.0-2
+  version: v1.10.0-0
  name: prometheus_nginxlog_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.10.2-0
+  version: v1.9.1-14
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.19.1-3
+  version: v0.19.0-1
  name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
  version: v1.13.1-0
  name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
-  version: v1.5.0-0
+  version: v1.4.1-0
  name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
-  version: v3.2.0-0
+  version: v3.0.0-1
  name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.1.0-1
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.12-0
+  version: v3.6.9-0
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
  version: v2.10.0-5
  name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-3
+  version: v9.0.3-0
  name: valkey
--- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
+++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.4.1
+matrix_alertmanager_receiver_version: 2026.2.25
 matrix_alertmanager_receiver_scheme: https
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -20,8 +20,7 @@ matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://git
 matrix_appservice_draupnir_for_all_container_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_draupnir_for_all_container_image_self_build else matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream }}"
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default }}"
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "docker.io/"
-matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
+matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}gnuxie/draupnir:{{ matrix_appservice_draupnir_for_all_version }}"
 matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "gnuxie/draupnir"
 matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"
 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"
--- a/roles/custom/matrix-authentication-service/defaults/main.yml
+++ b/roles/custom/matrix-authentication-service/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.14.0
+matrix_authentication_service_version: 1.12.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -300,15 +300,6 @@ matrix_authentication_service_config_database_idle_timeout: 600
 # Controls the `database.max_lifetime` configuration setting.
 matrix_authentication_service_config_database_max_lifetime: 1800
 # Controls whether the database connection is made via a UNIX socket.
 matrix_authentication_service_config_database_socket_enabled: false
 # The path to the Postgres socket's parent directory inside the MAS container.
 matrix_authentication_service_config_database_socket_path: "/run-postgres"
 # The path to the Postgres socket directory on the host (bind-mount source).
 matrix_authentication_service_config_database_socket_path_host: ""
 ########################################################################################
 #                                                                                      #
 # /Database configuration                                                              #
@@ -622,10 +613,6 @@ matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
 matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
 matrix_authentication_service_syn2mas_synapse_database_socket_enabled: false
 matrix_authentication_service_syn2mas_synapse_database_socket_path: ""
 matrix_authentication_service_syn2mas_synapse_database_socket_path_host: ""
 # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
 # Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
 #
--- a/roles/custom/matrix-authentication-service/tasks/install.yml
+++ b/roles/custom/matrix-authentication-service/tasks/install.yml
@@ -33,25 +33,6 @@
      loop_control:
        loop_var: private_key_definition
    # We intentionally do a single fixup pass here (instead of in `prepare_key.yml`)
    # so that we reconcile both newly generated keys and any pre-existing keys with
    # incorrect ownership/mode in one place.
    #
    # This primarily protects against setups where `become_user` is effectively not
    # honored (for example due to inventory misconfiguration such as `ansible_become=false`),
    # which can lead to host-side key generation creating root-owned files.
    #
    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
    - name: Ensure Matrix Authentication Service private keys have correct ownership and mode
      ansible.builtin.file:
        path: "{{ matrix_authentication_service_data_keys_path }}/{{ item.key_file }}"
        state: file
        mode: '0600'
        owner: "{{ matrix_user_name }}"
        group: "{{ matrix_group_name }}"
      with_items: "{{ matrix_authentication_service_key_management_list }}"
      register: matrix_authentication_service_private_keys_result
 - name: Ensure Matrix Authentication Service configuration installed
  ansible.builtin.copy:
    content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -136,5 +117,4 @@
        or matrix_authentication_service_support_files_result.changed | default(false)
        or matrix_authentication_service_systemd_service_result.changed | default(false)
        or matrix_authentication_service_container_image_pull_result.changed | default(false)
        or matrix_authentication_service_private_keys_result.changed | default(false)
      }}
--- a/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
+++ b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
@@ -71,12 +71,6 @@
      --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro
      --mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro
      --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
      {% if matrix_authentication_service_config_database_socket_enabled %}
      --mount type=bind,src={{ matrix_authentication_service_config_database_socket_path_host }},dst={{ matrix_authentication_service_config_database_socket_path }}
      {% endif %}
      {% if matrix_authentication_service_syn2mas_synapse_database_socket_enabled and (not matrix_authentication_service_config_database_socket_enabled or matrix_authentication_service_syn2mas_synapse_database_socket_path != matrix_authentication_service_config_database_socket_path) %}
      --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_database_socket_path_host }},dst={{ matrix_authentication_service_syn2mas_synapse_database_socket_path }}
      {% endif %}
      {{ matrix_authentication_service_container_image }}
      syn2mas
      --synapse-config=/homeserver.yaml
@@ -110,17 +104,11 @@
  ansible.builtin.debug:
    var: matrix_authentication_service_mas_cli_syn2mas_command_result
- name: Inject syn2mas post-migration note
+- name: Ensure Synapse is started (if it previously was)
  when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed"
-  ansible.builtin.set_fact:
+  ansible.builtin.service:
-    devture_playbook_runtime_messages_list: |
+    name: matrix-synapse
-      {{
+    state: started
        devture_playbook_runtime_messages_list | default([])
        +
        [
          "Synapse was intentionally not restarted after `syn2mas`. Continue with the next steps in the Matrix Authentication Service migration guide before re-running the installation."
        ]
      }}
 - name: Ensure Matrix Authentication Service is started (if it previously was)
  when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
--- a/roles/custom/matrix-authentication-service/tasks/validate_config.yml
+++ b/roles/custom/matrix-authentication-service/tasks/validate_config.yml
@@ -14,8 +14,7 @@
    - {'name': 'matrix_authentication_service_hostname', when: true}
    - {'name': 'matrix_authentication_service_config_database_username', when: true}
    - {'name': 'matrix_authentication_service_config_database_password', when: true}
-    - {'name': 'matrix_authentication_service_config_database_host', when: "{{ not matrix_authentication_service_config_database_socket_enabled }}"}
+    - {'name': 'matrix_authentication_service_config_database_host', when: true}
    - {'name': 'matrix_authentication_service_config_database_socket_path_host', when: "{{ matrix_authentication_service_config_database_socket_enabled }}"}
    - {'name': 'matrix_authentication_service_config_database_database', when: true}
    - {'name': 'matrix_authentication_service_config_secrets_encryption', when: true}
    - {'name': 'matrix_authentication_service_config_matrix_homeserver', when: true}
--- a/roles/custom/matrix-authentication-service/templates/systemd/matrix-authentication-service.service.j2
+++ b/roles/custom/matrix-authentication-service/templates/systemd/matrix-authentication-service.service.j2
@@ -28,9 +28,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--label-file={{ matrix_authentication_service_config_path }}/labels \
 			--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro \
 			--mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro \
 			{% if matrix_authentication_service_config_database_socket_enabled %}
 			--mount type=bind,src={{ matrix_authentication_service_config_database_socket_path_host }},dst={{ matrix_authentication_service_config_database_socket_path }} \
 			{% endif %}
 			{% for arg in matrix_authentication_service_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@@ -116,9 +116,6 @@ matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
 # This is where you access the Cinny web client from (if enabled via cinny_enabled; disabled by default).
 matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
 # This is where you access the Sable web client from (if enabled via sable_enabled; disabled by default).
 matrix_server_fqn_sable: "sable.{{ matrix_domain }}"
 # This is where you access the SchildiChat Web from (if enabled via matrix_client_schildichat_enabled; disabled by default).
 matrix_server_fqn_schildichat: "schildichat.{{ matrix_domain }}"
@@ -246,21 +243,6 @@ matrix_integration_manager_ui_url: ~
 matrix_homeserver_container_extra_arguments_auto: []
 matrix_homeserver_app_service_config_files_auto: []
 # These playbook-level helpers describe which managed services Synapse should be wired to.
 # They are meant for orchestration concerns like container networking and systemd ordering,
 # while `matrix_synapse_*` variables stay focused on actual connection parameters.
 # These likely get overridden elsewhere.
 matrix_playbook_synapse_uses_managed_postgres: false
 matrix_playbook_synapse_uses_managed_valkey: false
 matrix_playbook_synapse_auto_compressor_uses_managed_postgres: false
 # This playbook-level helper describes whether Matrix Authentication Service should be wired
 # to the playbook-managed Postgres instance.
 # It is meant for orchestration concerns like container networking, systemd ordering, and database creation,
 # while `matrix_authentication_service_*` variables stay focused on actual connection parameters.
 # This likely gets overridden elsewhere.
 matrix_playbook_matrix_authentication_service_uses_managed_postgres: false
 # Controls whether various services should expose metrics publicly.
 # If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
 matrix_metrics_exposure_enabled: false
--- a/roles/custom/matrix-bot-baibot/defaults/main.yml
+++ b/roles/custom/matrix-bot-baibot/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.17.0
+matrix_bot_baibot_version: v1.14.3
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -59,28 +59,8 @@ matrix_bot_baibot_config_homeserver_url: ""
 # so it can start fresh.
 matrix_bot_baibot_config_user_mxid_localpart: baibot
 # Authentication settings (`user.*` configuration keys).
 #
 # baibot supports 2 mutually-exclusive authentication modes.
 # Set EITHER:
 # - password authentication: `matrix_bot_baibot_config_user_password`
 # OR:
 # - access-token authentication: `matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`
 #
 # Password authentication is recommended for most playbook-managed deployments,
 # because it integrates with the `matrix-user-creator` role and can auto-create
 # the bot account (via the `ensure-matrix-users-created` playbook tag).
 # This remains true even on many MAS-enabled deployments where the bot account
 # is local and playbook-managed.
 # Controls the `user.password` configuration setting.
-matrix_bot_baibot_config_user_password: null
+matrix_bot_baibot_config_user_password: ''
 # Controls the `user.access_token` configuration setting.
 matrix_bot_baibot_config_user_access_token: null
 # Controls the `user.device_id` configuration setting.
 matrix_bot_baibot_config_user_device_id: null
 # Controls the `user.name` configuration setting.
 #
@@ -405,7 +385,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.4
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
--- a/roles/custom/matrix-bot-baibot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-baibot/tasks/validate_config.yml
@@ -12,6 +12,7 @@
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_bot_baibot_config_user_mxid_localpart', when: true}
    - {'name': 'matrix_bot_baibot_config_user_password', when: true}
    - {'name': 'matrix_bot_baibot_container_network', when: true}
    - {'name': 'matrix_bot_baibot_config_homeserver_url', when: true}
@@ -25,58 +26,6 @@
    - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"}
 - name: Fail if baibot authentication mode is not configured
  ansible.builtin.fail:
    msg: >-
      You need to configure one baibot authentication mode:
      either `matrix_bot_baibot_config_user_password`
      or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`).
  when: >-
    (
      matrix_bot_baibot_config_user_password | default('', true) | string | length == 0
    )
    and
    (
      matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0
      and matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0
    )
 - name: Fail if baibot authentication mode is configured ambiguously
  ansible.builtin.fail:
    msg: >-
      You need to configure exactly one baibot authentication mode.
      Set either `matrix_bot_baibot_config_user_password`,
      or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) but not both.
  when: >-
    (
      matrix_bot_baibot_config_user_password | default('', true) | string | length > 0
    )
    and
    (
      matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0
      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0
    )
 - name: Fail if baibot access token authentication is incomplete
  ansible.builtin.fail:
    msg: >-
      Access-token authentication requires both
      `matrix_bot_baibot_config_user_access_token` and `matrix_bot_baibot_config_user_device_id`.
  when: >-
    (
      matrix_bot_baibot_config_user_password | default('', true) | string | length == 0
    )
    and
    (
      matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0
      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0
    )
    and
    (
      matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0
      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0
    )
 - name: Fail if admin patterns list is empty
  ansible.builtin.fail:
    msg: >-
--- a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2
@@ -15,11 +15,7 @@ homeserver:
 user:
  mxid_localpart: {{ matrix_bot_baibot_config_user_mxid_localpart | to_json }}
  # Authentication: set EITHER password OR access_token + device_id.
  password: {{ matrix_bot_baibot_config_user_password | to_json }}
  access_token: {{ matrix_bot_baibot_config_user_access_token | to_json }}
  device_id: {{ matrix_bot_baibot_config_user_device_id | to_json }}
  # The name the bot uses as a display name and when it refers to itself.
  # Leave empty to use the default (baibot).
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
@@ -17,8 +17,7 @@ matrix_bot_draupnir_version: "v2.9.0"
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
-matrix_bot_draupnir_container_image: "{{ matrix_bot_draupnir_container_image_registry_prefix }}{{ matrix_bot_draupnir_container_image_registry_namespace_identifier }}:{{ matrix_bot_draupnir_version }}"
+matrix_bot_draupnir_container_image: "{{ matrix_bot_draupnir_container_image_registry_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}"
 matrix_bot_draupnir_container_image_registry_namespace_identifier: "gnuxie/draupnir"
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "docker.io/"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -30,7 +30,7 @@ matrix_bot_honoroit_container_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_container_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.30
+matrix_bot_honoroit_version: v0.9.29
 matrix_bot_honoroit_container_image: "{{ matrix_bot_honoroit_container_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_container_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_container_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_container_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml
@@ -17,7 +17,7 @@
 matrix_bot_mjolnir_enabled: true
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_bot_mjolnir_version: "v1.12.1"
+matrix_bot_mjolnir_version: "v1.12.0"
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
@@ -225,13 +225,3 @@ matrix_appservice_kakaotalk_registration_yaml: |
  rate_limited: false
 matrix_appservice_kakaotalk_registration: "{{ matrix_appservice_kakaotalk_registration_yaml | from_yaml }}"
 # matrix_appservice_kakaotalk_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_appservice_kakaotalk_restart_necessary: false
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml
@@ -13,10 +13,10 @@
    force_source: "{{ matrix_appservice_kakaotalk_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_container_image_force_pull }}"
  when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: matrix_appservice_kakaotalk_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_appservice_kakaotalk_container_image_pull_result is not failed
+  until: result is not failed
 - name: Ensure matrix-appservice-kakaotalk-node image is pulled
  community.docker.docker_image:
@@ -25,10 +25,10 @@
    force_source: "{{ matrix_appservice_kakaotalk_node_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_node_container_image_force_pull }}"
  when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: matrix_appservice_kakaotalk_node_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_appservice_kakaotalk_node_container_image_pull_result is not failed
+  until: result is not failed
 - name: Ensure matrix-appservice-kakaotalk paths exist
  ansible.builtin.file:
@@ -86,7 +86,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_appservice_kakaotalk_node_config_result
 - name: Ensure matrix-appservice-kakaotalk config.yaml installed
  ansible.builtin.copy:
@@ -95,7 +94,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_appservice_kakaotalk_config_result
 - name: Ensure matrix-appservice-kakaotalk registration.yaml installed
  ansible.builtin.copy:
@@ -104,7 +102,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_appservice_kakaotalk_registration_result
 - name: Ensure matrix-appservice-kakaotalk container network is created
  community.general.docker_network:
@@ -125,17 +122,3 @@
    src: "{{ role_path }}/templates/systemd/matrix-appservice-kakaotalk.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service"
    mode: '0644'
  register: matrix_appservice_kakaotalk_systemd_service_result
 - name: Determine whether matrix-appservice-kakaotalk needs a restart
  ansible.builtin.set_fact:
    matrix_appservice_kakaotalk_restart_necessary: >-
      {{
        matrix_appservice_kakaotalk_node_config_result.changed | default(false)
        or matrix_appservice_kakaotalk_config_result.changed | default(false)
        or matrix_appservice_kakaotalk_registration_result.changed | default(false)
        or matrix_appservice_kakaotalk_node_systemd_service_result.changed | default(false)
        or matrix_appservice_kakaotalk_systemd_service_result.changed | default(false)
        or matrix_appservice_kakaotalk_container_image_pull_result.changed | default(false)
        or matrix_appservice_kakaotalk_node_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
@@ -76,20 +76,6 @@
  become_user: "{{ matrix_user_name }}"
  when: "not hookshot_passkey_file.stat.exists"
 # We intentionally reconcile the passkey ownership/mode after generation,
 # because some setups can end up creating host-side files as the SSH user
 # instead of `matrix` when `become_user` is effectively not honored.
 #
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
 - name: Ensure hookshot passkey has correct ownership and mode
  ansible.builtin.file:
    path: "{{ matrix_hookshot_base_path }}/passkey.pem"
    state: file
    mode: '0600'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_hookshot_passkey_result
 - name: Ensure hookshot config.yml installed if provided
  ansible.builtin.copy:
    content: "{{ matrix_hookshot_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -168,7 +154,6 @@
        matrix_hookshot_config_result.changed | default(false)
        or matrix_hookshot_registration_result.changed | default(false)
        or matrix_hookshot_github_key_result.changed | default(false)
        or matrix_hookshot_passkey_result.changed | default(false)
        or matrix_hookshot_support_files_result.changed | default(false)
        or matrix_hookshot_systemd_service_result.changed | default(false)
        or matrix_hookshot_container_image_pull_result.changed | default(false)
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v26.02.2
+matrix_mautrix_signal_version: v0.2602.0
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_container_image: "{{ matrix_mautrix_signal_container_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_container_image_tag }}"
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2603.0
+matrix_mautrix_slack_version: v0.2602.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_container_image: "{{ matrix_mautrix_slack_container_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2603.0
+matrix_mautrix_twitter_version: v0.2511.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_container_image: "{{ matrix_mautrix_twitter_container_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2603.0
+matrix_mautrix_whatsapp_version: v0.2602.0
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_container_image: "{{ matrix_mautrix_whatsapp_container_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
--- a/roles/custom/matrix-bridge-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bridge-postmoogle/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_postmoogle_container_repo_version: "{{ 'main' if matrix_postmoogle_versio
 matrix_postmoogle_container_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/postmoogle
-matrix_postmoogle_version: v0.9.29
+matrix_postmoogle_version: v0.9.28
 matrix_postmoogle_container_image: "{{ matrix_postmoogle_container_image_registry_prefix }}etkecc/postmoogle:{{ matrix_postmoogle_version }}"
 matrix_postmoogle_container_image_registry_prefix: "{{ 'localhost/' if matrix_postmoogle_container_image_self_build else matrix_postmoogle_container_image_registry_prefix_upstream }}"
 matrix_postmoogle_container_image_registry_prefix_upstream: "{{ matrix_postmoogle_container_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bridge-wechat/defaults/main.yml
+++ b/roles/custom/matrix-bridge-wechat/defaults/main.yml
@@ -163,13 +163,3 @@ matrix_wechat_agent_service_secret: "{{ matrix_wechat_bridge_listen_secret }}"
 matrix_wechat_agent_configuration_yaml: "{{ lookup('template', 'templates/agent-config.yaml.j2') }}"
 matrix_wechat_agent_configuration: "{{ matrix_wechat_agent_configuration_yaml | from_yaml }}"
 # matrix_wechat_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_wechat_restart_necessary: false
--- a/roles/custom/matrix-bridge-wechat/tasks/install.yml
+++ b/roles/custom/matrix-bridge-wechat/tasks/install.yml
@@ -27,10 +27,10 @@
    force_source: "{{ matrix_wechat_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_container_image_force_pull }}"
  when: not matrix_wechat_container_image_self_build
-  register: matrix_wechat_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_wechat_container_image_pull_result is not failed
+  until: result is not failed
 - when: matrix_wechat_container_image_self_build | bool
  block:
@@ -62,10 +62,10 @@
    force_source: "{{ matrix_wechat_agent_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_agent_container_image_force_pull }}"
  when: not matrix_wechat_agent_container_image_self_build
-  register: matrix_wechat_agent_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_wechat_agent_container_image_pull_result is not failed
+  until: result is not failed
 - when: matrix_wechat_agent_container_image_self_build | bool
  block:
@@ -97,7 +97,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_wechat_config_result
 - name: Ensure WeChat registration.yaml installed
  ansible.builtin.copy:
@@ -106,7 +105,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_wechat_registration_result
 - name: Ensure Wechat Agent configuration installed
  ansible.builtin.copy:
@@ -115,7 +113,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_wechat_agent_config_result
 - name: Ensure matrix-wechat container network is created
  community.general.docker_network:
@@ -137,16 +134,3 @@
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-wechat-agent.service"
    mode: '0644'
  register: matrix_wechat_agent_systemd_service_result
 - name: Determine whether WeChat Bridge needs a restart
  ansible.builtin.set_fact:
    matrix_wechat_restart_necessary: >-
      {{
        matrix_wechat_config_result.changed | default(false)
        or matrix_wechat_registration_result.changed | default(false)
        or matrix_wechat_agent_config_result.changed | default(false)
        or matrix_wechat_systemd_service_result.changed | default(false)
        or matrix_wechat_agent_systemd_service_result.changed | default(false)
        or matrix_wechat_container_image_pull_result.changed | default(false)
        or matrix_wechat_agent_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml
+++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.42.0
+matrix_cactus_comments_client_version: 2.41.0
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-client-commet/defaults/main.yml
+++ b/roles/custom/matrix-client-commet/defaults/main.yml
@@ -1,102 +0,0 @@
 # SPDX-FileCopyrightText: 2026 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 # Project source code URL: https://github.com/commetchat/commet
 matrix_client_commet_enabled: true
 # The git branch, tag, or SHA to build from
 matrix_client_commet_version: "main"
 # The hostname at which Commet is served (e.g. commet.example.com)
 matrix_client_commet_hostname: ""
 # The path at which Commet is exposed.
 # This value must either be `/` or not end with a slash (e.g. `/commet`).
 matrix_client_commet_path_prefix: /
 matrix_client_commet_base_path: "{{ matrix_base_data_path }}/client-commet"
 matrix_client_commet_container_src_path: "{{ matrix_client_commet_base_path }}/container-src"
 matrix_client_commet_config_path: "{{ matrix_client_commet_base_path }}/config"
 # Set to false to pull a pre-built image from a registry instead of building on the server.
 matrix_client_commet_container_image_self_build: true
 # Self-build settings (used when matrix_client_commet_container_image_self_build: true)
 matrix_client_commet_container_image_self_build_repo: "https://github.com/commetchat/commet.git"
 # Populated automatically after git clone in setup_install.yml
 matrix_client_commet_container_image_self_build_git_hash: ""
 matrix_client_commet_container_image_self_build_version_tag: "{{ matrix_client_commet_version }}"
 matrix_client_commet_container_image: "localhost/matrix-client-commet:{{ matrix_client_commet_version }}"
 # The in-container port nginx listens on
 matrix_client_commet_container_port: 8080
 # Optionally expose the container port on the host.
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
 matrix_client_commet_container_http_host_bind_port: ""
 # The base container network
 matrix_client_commet_container_network: ""
 # Additional container networks the container is connected to.
 # The role does not create these networks, so make sure they already exist.
 matrix_client_commet_container_additional_networks: []
 # Runtime configuration — mounted into the container, not baked into the image
 matrix_client_commet_default_homeserver: "matrix.org"
 # ---------------------------------------------------------------------------
 # Traefik labels
 # ---------------------------------------------------------------------------
 matrix_client_commet_container_labels_traefik_enabled: true
 matrix_client_commet_container_labels_traefik_docker_network: "{{ matrix_client_commet_container_network }}"
 matrix_client_commet_container_labels_traefik_hostname: "{{ matrix_client_commet_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/commet`).
 matrix_client_commet_container_labels_traefik_path_prefix: "{{ matrix_client_commet_path_prefix }}"
 matrix_client_commet_container_labels_traefik_rule: "Host(`{{ matrix_client_commet_container_labels_traefik_hostname }}`){% if matrix_client_commet_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_commet_container_labels_traefik_path_prefix }}`){% endif %}"
 matrix_client_commet_container_labels_traefik_priority: 0
 matrix_client_commet_container_labels_traefik_entrypoints: web-secure
 matrix_client_commet_container_labels_traefik_tls: "{{ matrix_client_commet_container_labels_traefik_entrypoints != 'web' }}"
 matrix_client_commet_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 # Controls whether a compression middleware will be injected into the middlewares list.
 matrix_client_commet_container_labels_traefik_compression_middleware_enabled: false
 matrix_client_commet_container_labels_traefik_compression_middleware_name: ""
 # Additional response headers (auto-built from security header variables below)
 matrix_client_commet_container_labels_traefik_additional_response_headers: "{{ matrix_client_commet_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_commet_container_labels_traefik_additional_response_headers_custom) }}"
 matrix_client_commet_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine({'X-XSS-Protection': matrix_client_commet_http_header_xss_protection} if matrix_client_commet_http_header_xss_protection else {})
    | combine({'X-Content-Type-Options': matrix_client_commet_http_header_content_type_options} if matrix_client_commet_http_header_content_type_options else {})
    | combine({'Content-Security-Policy': matrix_client_commet_http_header_content_security_policy} if matrix_client_commet_http_header_content_security_policy else {})
    | combine({'Strict-Transport-Security': matrix_client_commet_http_header_strict_transport_security} if matrix_client_commet_http_header_strict_transport_security and matrix_client_commet_container_labels_traefik_tls else {})
  }}
 matrix_client_commet_container_labels_traefik_additional_response_headers_custom: {}
 # Additional container labels (multiline string)
 matrix_client_commet_container_labels_additional_labels: ""
 # Extra arguments to pass to docker create
 matrix_client_commet_container_extra_arguments: []
 # ---------------------------------------------------------------------------
 # HTTP security headers
 # ---------------------------------------------------------------------------
 matrix_client_commet_http_header_xss_protection: "1; mode=block"
 matrix_client_commet_http_header_content_type_options: nosniff
 matrix_client_commet_http_header_content_security_policy: "frame-ancestors 'self'"
 matrix_client_commet_http_header_strict_transport_security: "max-age=31536000; includeSubDomains"
 # ---------------------------------------------------------------------------
 # Systemd
 # ---------------------------------------------------------------------------
 matrix_client_commet_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 # matrix_client_commet_restart_necessary is automatically set during installation
 # to signal whether the service should be restarted after setup.
 matrix_client_commet_restart_necessary: false
--- a/roles/custom/matrix-client-commet/tasks/main.yml
+++ b/roles/custom/matrix-client-commet/tasks/main.yml
@@ -1,30 +0,0 @@
 # SPDX-FileCopyrightText: 2026 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - tags:
    - setup-all
    - setup-client-commet
    - install-all
    - install-client-commet
  block:
    - when: matrix_client_commet_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 - tags:
    - setup-all
    - setup-client-commet
  block:
    - when: not matrix_client_commet_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
 - tags:
    - self-check
  block:
    - when: matrix_client_commet_enabled | bool
      ansible.builtin.debug:
        msg: >-
          Commet is running at
          https://{{ matrix_client_commet_hostname }}{{ matrix_client_commet_path_prefix }}
--- a/roles/custom/matrix-client-commet/tasks/setup_install.yml
+++ b/roles/custom/matrix-client-commet/tasks/setup_install.yml
@@ -1,116 +0,0 @@
 # SPDX-FileCopyrightText: 2025 Nikita Chernyi
 # SPDX-FileCopyrightText: 2026 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - name: Ensure Commet paths exist
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0750"
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - "{{ matrix_client_commet_base_path }}"
    - "{{ matrix_client_commet_config_path }}"
 - name: Ensure Commet container image is pulled
  community.docker.docker_image:
    name: "{{ matrix_client_commet_container_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_client_commet_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_commet_container_image_force_pull }}"
  when: "not matrix_client_commet_container_image_self_build | bool"
  register: matrix_client_commet_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: matrix_client_commet_image_pull_result is not failed
 - when: "matrix_client_commet_container_image_self_build | bool"
  block:
    - name: Check Commet git repository metadata exists
      ansible.builtin.stat:
        path: "{{ matrix_client_commet_container_src_path }}/.git/config"
      register: matrix_client_commet_git_config_file_stat
    - name: Remove Commet source directory if git remote is misconfigured
      ansible.builtin.file:
        path: "{{ matrix_client_commet_container_src_path }}"
        state: absent
      when: not matrix_client_commet_git_config_file_stat.stat.exists
      become: true
    - name: Ensure Commet repository is present on self-build
      ansible.builtin.git:
        repo: "{{ matrix_client_commet_container_image_self_build_repo }}"
        dest: "{{ matrix_client_commet_container_src_path }}"
        version: "{{ matrix_client_commet_version }}"
        force: "yes"
      become: true
      become_user: "{{ matrix_user_name }}"
      register: matrix_client_commet_git_pull_results
    - name: Set git hash fact
      ansible.builtin.set_fact:
        matrix_client_commet_container_image_self_build_git_hash: "{{ matrix_client_commet_git_pull_results.after }}"
    - name: Ensure Commet container image is built
      ansible.builtin.command:
        cmd: |-
          {{ devture_systemd_docker_base_host_command_docker }} buildx build
          --tag={{ matrix_client_commet_container_image }}
          --build-arg GIT_HASH={{ matrix_client_commet_container_image_self_build_git_hash }}
          --build-arg VERSION_TAG={{ matrix_client_commet_container_image_self_build_version_tag }}
          --build-arg BUILD_DATE={{ ansible_date_time.epoch }}
          --file={{ matrix_client_commet_container_src_path }}/Dockerfile
          {{ matrix_client_commet_container_src_path }}
      changed_when: true
      register: matrix_client_commet_image_build_result
 - name: Ensure Commet global_config.json is installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/global_config.json.j2"
    dest: "{{ matrix_client_commet_config_path }}/global_config.json"
    mode: "0644"
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_client_commet_config_result
 - name: Ensure Commet support files are installed
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ matrix_client_commet_base_path }}/{{ item.name }}"
    mode: "0644"
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
    - {src: "{{ role_path }}/templates/env.j2", name: "env"}
  register: matrix_client_commet_support_files_result
 - name: Ensure Commet container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ matrix_client_commet_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
 - name: Ensure matrix-client-commet.service is installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-client-commet.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-commet.service"
    mode: "0644"
  register: matrix_client_commet_systemd_service_result
 - name: Determine whether Commet needs a restart
  ansible.builtin.set_fact:
    matrix_client_commet_restart_necessary: >-
      {{
        matrix_client_commet_config_result.changed | default(false)
        or matrix_client_commet_support_files_result.changed | default(false)
        or matrix_client_commet_systemd_service_result.changed | default(false)
        or matrix_client_commet_image_build_result.changed | default(false)
        or matrix_client_commet_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-client-commet/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-client-commet/tasks/setup_uninstall.yml
@@ -1,29 +0,0 @@
 # SPDX-FileCopyrightText: 2026 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - name: Check existence of matrix-client-commet.service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-commet.service"
  register: matrix_client_commet_service_stat
 - when: matrix_client_commet_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-client-commet is stopped
      ansible.builtin.service:
        name: matrix-client-commet
        state: stopped
        enabled: false
        daemon_reload: true
    - name: Ensure matrix-client-commet.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-commet.service"
        state: absent
    - name: Ensure Commet path doesn't exist
      ansible.builtin.file:
        path: "{{ matrix_client_commet_base_path }}"
        state: absent
--- a/roles/custom/matrix-client-commet/templates/env.j2
+++ b/roles/custom/matrix-client-commet/templates/env.j2
@@ -1,12 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2026 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {#
 Environment variables for the matrix-client-commet container.
 Add custom variables by appending to matrix_client_commet_environment_variables_extension.
 #}
 {{ matrix_client_commet_environment_variables_extension | default('') }}
--- a/roles/custom/matrix-client-commet/templates/global_config.json.j2
+++ b/roles/custom/matrix-client-commet/templates/global_config.json.j2
@@ -1,3 +0,0 @@
 {
  "default_homeserver": "{{ matrix_client_commet_default_homeserver }}"
 }
--- a/roles/custom/matrix-client-commet/templates/global_config.json.j2.license
+++ b/roles/custom/matrix-client-commet/templates/global_config.json.j2.license
@@ -1,3 +0,0 @@
 SPDX-FileCopyrightText: 2026 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-client-commet/templates/labels.j2
+++ b/roles/custom/matrix-client-commet/templates/labels.j2
@@ -1,60 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2026 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {#
 Traefik labels for matrix-client-commet.
 #}
 {% if matrix_client_commet_container_labels_traefik_enabled %}
 traefik.enable=true
 {% if matrix_client_commet_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_client_commet_container_labels_traefik_docker_network }}
 {% endif %}
 traefik.http.services.matrix-client-commet.loadbalancer.server.port={{ matrix_client_commet_container_port }}
 {% set middlewares = [] %}
 {% if matrix_client_commet_container_labels_traefik_compression_middleware_enabled %}
 {% set middlewares = middlewares + [matrix_client_commet_container_labels_traefik_compression_middleware_name] %}
 {% endif %}
 {% if matrix_client_commet_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-client-commet-slashless-redirect.redirectregex.regex=({{ matrix_client_commet_container_labels_traefik_path_prefix | quote }})$
 traefik.http.middlewares.matrix-client-commet-slashless-redirect.redirectregex.replacement=${1}/
 {% set middlewares = middlewares + ['matrix-client-commet-slashless-redirect'] %}
 {% endif %}
 {% if matrix_client_commet_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-client-commet-strip-prefix.stripprefix.prefixes={{ matrix_client_commet_container_labels_traefik_path_prefix }}
 {% set middlewares = middlewares + ['matrix-client-commet-strip-prefix'] %}
 {% endif %}
 {% if matrix_client_commet_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in matrix_client_commet_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.matrix-client-commet-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
 {% endfor %}
 {% set middlewares = middlewares + ['matrix-client-commet-add-headers'] %}
 {% endif %}
 traefik.http.routers.matrix-client-commet.rule={{ matrix_client_commet_container_labels_traefik_rule }}
 {% if matrix_client_commet_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-client-commet.priority={{ matrix_client_commet_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-client-commet.service=matrix-client-commet
 {% if middlewares | length > 0 %}
 traefik.http.routers.matrix-client-commet.middlewares={{ middlewares | join(',') }}
 {% endif %}
 traefik.http.routers.matrix-client-commet.entrypoints={{ matrix_client_commet_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-client-commet.tls={{ matrix_client_commet_container_labels_traefik_tls | to_json }}
 {% if matrix_client_commet_container_labels_traefik_tls %}
 traefik.http.routers.matrix-client-commet.tls.certResolver={{ matrix_client_commet_container_labels_traefik_tls_certResolver }}
 {% endif %}
 {% endif %}
 {{ matrix_client_commet_container_labels_additional_labels }}
--- a/roles/custom/matrix-client-commet/templates/systemd/matrix-client-commet.service.j2
+++ b/roles/custom/matrix-client-commet/templates/systemd/matrix-client-commet.service.j2
@@ -1,58 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2026 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix Commet web client
 {% for service in matrix_client_commet_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-commet 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-commet 2>/dev/null || true'
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-client-commet \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--network={{ matrix_client_commet_container_network }} \
 			{% if matrix_client_commet_container_http_host_bind_port %}
 			-p {{ matrix_client_commet_container_http_host_bind_port }}:{{ matrix_client_commet_container_port }} \
 			{% endif %}
 			--label-file={{ matrix_client_commet_base_path }}/labels \
 			--env-file={{ matrix_client_commet_base_path }}/env \
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			--tmpfs=/var/cache/nginx:rw,mode=777 \
 			--tmpfs=/var/run:rw,mode=777 \
 			--mount type=bind,src={{ matrix_client_commet_config_path }}/global_config.json,dst=/usr/share/nginx/html/assets/assets/config/global_config.json,ro \
 			{% for arg in matrix_client_commet_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_client_commet_container_image }}
 {% for network in matrix_client_commet_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-commet
 {% endfor %}
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-commet
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-commet 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-commet 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-client-commet
 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.13
+matrix_client_element_version: v1.12.11
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-client-element/tasks/self_check.yml
+++ b/roles/custom/matrix-client-element/tasks/self_check.yml
@@ -5,6 +5,9 @@
 ---
 - ansible.builtin.set_fact:
    matrix_client_element_url_endpoint_public: "{{ matrix_client_element_scheme }}://{{ matrix_client_element_hostname }}/config.json"
 - name: Check Element Web
  ansible.builtin.uri:
    url: "{{ matrix_client_element_url_endpoint_public }}"
--- a/roles/custom/matrix-client-element/templates/config.json.j2
+++ b/roles/custom/matrix-client-element/templates/config.json.j2
@@ -3,12 +3,10 @@
 		"m.homeserver": {
 			"base_url": {{ matrix_client_element_default_hs_url | string | to_json }},
 			"server_name": {{ matrix_client_element_default_server_name | string | to_json }}
-		}
+		},
 		{% if matrix_client_element_default_is_url %},
 		"m.identity_server": {
 			"base_url": {{ matrix_client_element_default_is_url | string | to_json }}
 		}
 		{% endif %}
 	},
 	"setting_defaults": {
 		"custom_themes": {{ matrix_client_element_setting_defaults_custom_themes | to_json }}
--- a/roles/custom/matrix-client-element/vars/main.yml
+++ b/roles/custom/matrix-client-element/vars/main.yml
@@ -5,5 +5,3 @@
 ---
 matrix_client_element_embedded_pages_home_url: "{{ ('' if matrix_client_element_embedded_pages_home_path is none else 'home.html') }}"
 matrix_client_element_url_endpoint_public: "{{ matrix_client_element_scheme }}://{{ matrix_client_element_hostname }}{{ matrix_client_element_path_prefix }}{% if matrix_client_element_path_prefix != '/' %}/{% endif %}config.json"
--- a/roles/custom/matrix-client-fluffychat/defaults/main.yml
+++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.5.1
+matrix_client_fluffychat_version: v2.4.1
 matrix_client_fluffychat_container_image: "{{ matrix_client_fluffychat_container_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_container_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_container_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_container_image_registry_prefix_upstream_default }}"
@@ -151,7 +151,7 @@ matrix_client_fluffychat_path_prefix: /
 matrix_client_fluffychat_self_check_validate_certificates: true
 # Controls the default homeserver domain (not URL) used in the FluffyChat Web configuration.
-matrix_client_fluffychat_config_defaultHomeserver: ~  # noqa var-naming
+matrix_client_fluffychat_config_defaultHomeserver: ~
 # matrix_client_fluffychat_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
--- a/roles/custom/matrix-client-fluffychat/tasks/self_check.yml
+++ b/roles/custom/matrix-client-fluffychat/tasks/self_check.yml
@@ -4,6 +4,9 @@
 ---
 - ansible.builtin.set_fact:
    matrix_client_fluffychat_url_endpoint_public: "{{ matrix_client_fluffychat_scheme }}://{{ matrix_client_fluffychat_hostname }}/"
 - name: Check FluffyChat Web
  ansible.builtin.uri:
    url: "{{ matrix_client_fluffychat_url_endpoint_public }}"
--- a/roles/custom/matrix-client-fluffychat/vars/main.yml
+++ b/roles/custom/matrix-client-fluffychat/vars/main.yml
@@ -1,7 +0,0 @@
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 matrix_client_fluffychat_url_endpoint_public: "{{ matrix_client_fluffychat_scheme }}://{{ matrix_client_fluffychat_hostname }}{{ matrix_client_fluffychat_path_prefix }}{% if matrix_client_fluffychat_path_prefix != '/' %}/{% endif %}"
--- a/roles/custom/matrix-client-schildichat/tasks/self_check.yml
+++ b/roles/custom/matrix-client-schildichat/tasks/self_check.yml
@@ -6,6 +6,9 @@
 ---
 - ansible.builtin.set_fact:
    matrix_client_schildichat_url_endpoint_public: "{{ matrix_client_schildichat_scheme }}://{{ matrix_client_schildichat_hostname }}/config.json"
 - name: Check SchildiChat Web
  ansible.builtin.uri:
    url: "{{ matrix_client_schildichat_url_endpoint_public }}"
--- a/roles/custom/matrix-client-schildichat/vars/main.yml
+++ b/roles/custom/matrix-client-schildichat/vars/main.yml
@@ -5,5 +5,3 @@
 ---
 matrix_client_schildichat_embedded_pages_home_url: "{{ ('' if matrix_client_schildichat_embedded_pages_home_path is none else 'home.html') }}"
 matrix_client_schildichat_url_endpoint_public: "{{ matrix_client_schildichat_scheme }}://{{ matrix_client_schildichat_hostname }}{{ matrix_client_schildichat_path_prefix }}{% if matrix_client_schildichat_path_prefix != '/' %}/{% endif %}config.json"
--- a/roles/custom/matrix-conduit/defaults/main.yml
+++ b/roles/custom/matrix-conduit/defaults/main.yml
@@ -154,13 +154,3 @@ matrix_conduit_turn_uris: []
 matrix_conduit_turn_secret: ''
 matrix_conduit_turn_username: ''
 matrix_conduit_turn_password: ''
 # matrix_conduit_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_conduit_restart_necessary: false
--- a/roles/custom/matrix-conduit/tasks/setup_install.yml
+++ b/roles/custom/matrix-conduit/tasks/setup_install.yml
@@ -31,7 +31,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_conduit_config_result
 - name: Ensure Conduit support files installed
  ansible.builtin.template:
@@ -42,7 +41,6 @@
    group: "{{ matrix_group_name }}"
  with_items:
    - labels
  register: matrix_conduit_support_files_result
 - name: Ensure Conduit container network is created
  community.general.docker_network:
@@ -57,24 +55,13 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_conduit_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_container_image_force_pull }}"
-  register: matrix_conduit_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_conduit_container_image_pull_result is not failed
+  until: result is not failed
 - name: Ensure matrix-conduit.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-conduit.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service"
    mode: '0644'
  register: matrix_conduit_systemd_service_result
 - name: Determine whether Conduit needs a restart
  ansible.builtin.set_fact:
    matrix_conduit_restart_necessary: >-
      {{
        matrix_conduit_config_result.changed | default(false)
        or matrix_conduit_support_files_result.changed | default(false)
        or matrix_conduit_systemd_service_result.changed | default(false)
        or matrix_conduit_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-continuwuity/defaults/main.yml
+++ b/roles/custom/matrix-continuwuity/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_continuwuity_enabled: true
 matrix_continuwuity_hostname: ''
 # renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
-matrix_continuwuity_version: v0.5.6
+matrix_continuwuity_version: v0.5.5
 matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
 matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"
@@ -165,8 +165,8 @@ matrix_continuwuity_config_registration_token: ''
 # Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
 matrix_continuwuity_config_new_user_displayname_suffix: ""
-# Controls the `allow_announcements_check` setting.
+# Controls the `allow_check_for_updates` setting.
-matrix_continuwuity_config_allow_announcements_check: true
+matrix_continuwuity_config_allow_check_for_updates: false
 # Controls the `emergency_password` setting.
 matrix_continuwuity_config_emergency_password: ''
@@ -188,29 +188,6 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true
 # If set, registration will require Google ReCAPTCHA verification.
 matrix_continuwuity_config_recaptcha_site_key: ''
 matrix_continuwuity_config_recaptcha_private_site_key: ''
 # Controls whether encrypted rooms and events are allowed.
 matrix_continuwuity_config_allow_encryption: true
 # Controls whether standard users can create new rooms.
 # Appservices and admins are always allowed to create new rooms.
 matrix_continuwuity_config_allow_room_creation: true
 # List/vector of room IDs or room aliases that continuwuity will make
 # newly registered users join. The rooms specified must be rooms that you
 # have joined at least once on the server, and must be public.
 #
 # example: ["#continuwuity:continuwuity.org",
 # "!main-1:continuwuity.org"]
 #
 matrix_continuwuity_config_auto_join_rooms: []
 # Forces users to always forget rooms they have left (MSC4267).
 matrix_continuwuity_config_forget_forced_upon_leave: false
 # Controls server (de)federation settings.
 matrix_continuwuity_config_allow_federation: true
 matrix_continuwuity_config_allowed_remote_server_names: []
@@ -219,39 +196,9 @@ matrix_continuwuity_config_forbidden_remote_room_directory_server_names: []
 matrix_continuwuity_config_prevent_media_downloads_from: []
 matrix_continuwuity_config_ignore_messages_from_server_names: []
 # Allow outgoing presence updates/requests.
 #
 # Note that outgoing presence is very heavy on the CPU and network, and
 # will typically cause extreme strain and slowdowns for no real benefit.
 # There are only a few clients that even implement presence, so you
 # probably don't want to enable this.
 matrix_continuwuity_config_allow_outgoing_presence: false
 # Controls MatrixRTC foci served via `/_matrix/client/v1/rtc/transports`
 # and `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143)
 matrix_continuwuity_config_rtc_foci: "{{ matrix_continuwuity_config_rtc_foci_auto + matrix_continuwuity_config_rtc_foci_custom }}"
 matrix_continuwuity_config_rtc_foci_auto: |-
  {{
    (
      [{'type': 'livekit', 'livekit_service_url': matrix_continuwuity_config_rtc_foci_livekit_url}] if matrix_continuwuity_config_rtc_foci_livekit_url != '' else []
    )
  }}
 matrix_continuwuity_config_rtc_foci_custom: []
 # Controls MatrixRTC Livekit URL auto-added to `matrix_continuwuity_config_rtc_foci`.
 #
 # This is set automatically if you are using the playbook MatrixRTC stack.
 matrix_continuwuity_config_rtc_foci_livekit_url: ''
 # Controls the `url_preview_domain_contains_allowlist` setting.
 matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
 # Controls the `url_preview_domain_explicit_allowlist` setting.
 matrix_continuwuity_config_url_preview_domain_explicit_allowlist: []
 # Controls the `url_preview_check_root_domain` setting.
 matrix_continuwuity_config_url_preview_check_root_domain: false
 # Additional environment variables to pass to the container.
 #
 # Environment variables take priority over settings in the configuration file.
@@ -261,13 +208,3 @@ matrix_continuwuity_config_url_preview_check_root_domain: false
 #   CONTINUWUITY_MAX_REQUEST_SIZE=50000000
 #   CONTINUWUITY_REQUEST_TIMEOUT=60
 matrix_continuwuity_environment_variables_extension: ''
 # matrix_continuwuity_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_continuwuity_restart_necessary: false
--- a/roles/custom/matrix-continuwuity/tasks/install.yml
+++ b/roles/custom/matrix-continuwuity/tasks/install.yml
@@ -27,7 +27,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_continuwuity_config_result
 - name: Ensure continuwuity support files installed
  ansible.builtin.template:
@@ -39,7 +38,6 @@
  with_items:
    - labels
    - env
  register: matrix_continuwuity_support_files_result
 - name: Ensure continuwuity container network is created
  community.general.docker_network:
@@ -54,24 +52,13 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_continuwuity_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_container_image_force_pull }}"
-  register: matrix_continuwuity_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_continuwuity_container_image_pull_result is not failed
+  until: result is not failed
 - name: Ensure matrix-continuwuity.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
    mode: '0644'
  register: matrix_continuwuity_systemd_service_result
 - name: Determine whether continuwuity needs a restart
  ansible.builtin.set_fact:
    matrix_continuwuity_restart_necessary: >-
      {{
        matrix_continuwuity_config_result.changed | default(false)
        or matrix_continuwuity_support_files_result.changed | default(false)
        or matrix_continuwuity_systemd_service_result.changed | default(false)
        or matrix_continuwuity_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-continuwuity/tasks/validate_config.yml
+++ b/roles/custom/matrix-continuwuity/tasks/validate_config.yml
@@ -22,7 +22,6 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_continuwuity_allowed_remote_server_names', 'new': 'matrix_continuwuity_config_allowed_remote_server_names'}
    - {'old': 'matrix_continuwuity_config_allow_check_for_updates', 'new': 'matrix_continuwuity_config_allow_announcements_check'}
    - {'old': 'matrix_continuwuity_forbidden_remote_room_directory_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_room_directory_server_names'}
    - {'old': 'matrix_continuwuity_forbidden_remote_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_server_names'}
    - {'old': 'matrix_continuwuity_ignore_messages_from_server_names', 'new': 'matrix_continuwuity_config_ignore_messages_from_server_names'}
--- a/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2
+++ b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2
@@ -21,8 +21,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 # Also see the `[global.well_known]` config section at the very bottom.
 #
 # Examples of delegation:
-# - https://continuwuity.org/.well-known/matrix/server
+# - https://puppygock.gay/.well-known/matrix/server
-# - https://continuwuity.org/.well-known/matrix/client
+# - https://puppygock.gay/.well-known/matrix/client
 #
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
@@ -112,7 +112,7 @@ new_user_displayname_suffix = {{ matrix_continuwuity_config_new_user_displayname
 # `https://continuwuity.org/.well-known/continuwuity/announcements` for any new
 # announcements or major updates. This is not an update check endpoint.
 #
-allow_announcements_check = {{ matrix_continuwuity_config_allow_announcements_check | to_json }}
+allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates | to_json }}
 # Set this to any float value to multiply continuwuity's in-memory LRU
 # caches with such as "auth_chain_cache_capacity".
@@ -283,25 +283,6 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 #max_fetch_prev_events = 192
 # How many incoming federation transactions the server is willing to be
 # processing at any given time before it becomes overloaded and starts
 # rejecting further transactions until some slots become available.
 #
 # Setting this value too low or too high may result in unstable
 # federation, and setting it too high may cause runaway resource usage.
 #
 #max_concurrent_inbound_transactions = 150
 # Maximum age (in seconds) for cached federation transaction responses.
 # Entries older than this will be removed during cleanup.
 #
 #transaction_id_cache_max_age_secs = 7200 (2 hours)
 # Maximum number of cached federation transaction responses.
 # When the cache exceeds this limit, older entries will be removed.
 #
 #transaction_id_cache_max_entries = 8192
 # Default/base connection timeout (seconds). This is used only by URL
 # previews and update/news endpoint checks.
 #
@@ -339,38 +320,11 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 #well_known_timeout = 10
 # Federation client connection timeout (seconds). You should not set this
 # to high values, as dead homeservers can significantly slow down
 # federation, specifically key retrieval, which will take roughly the
 # amount of time you configure here given that a homeserver doesn't
 # respond. This will cause most clients to time out /keys/query, causing
 # E2EE and device verification to fail.
 #
 #federation_conn_timeout = 10
 # Federation client request timeout (seconds). You most definitely want
 # this to be high to account for extremely large room joins, slow
 # homeservers, your own resources etc.
 #
-# Joins have 6x the timeout.
+#federation_timeout = 300
 #
 #federation_timeout = 60
 # MSC4284 Policy server request timeout (seconds). Generally policy
 # servers should respond near instantly, however may slow down under
 # load. If a policy server doesn't respond in a short amount of time, the
 # room it is configured in may become unusable if this limit is set too
 # high. 10 seconds is a good default, however dropping this to 3-5 seconds
 # can be acceptable.
 #
 # Please be aware that policy requests are *NOT* currently re-tried, so if
 # a spam check request fails, the event will be assumed to be not spam,
 # which in some cases may result in spam being sent to or received from
 # the room that would typically be prevented.
 #
 # About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
 #
 #policy_server_request_timeout = 10
 # Federation client idle connection pool timeout (seconds).
 #
@@ -403,15 +357,7 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 #appservice_idle_timeout = 300
-# Notification gateway pusher request connection timeout (seconds).
+# Notification gateway pusher idle connection pool timeout.
 #
 #pusher_conn_timeout = 15
 # Notification gateway pusher total request timeout (seconds).
 #
 #pusher_timeout = 60
 # Notification gateway pusher idle connection pool timeout (seconds).
 #
 #pusher_idle_timeout = 15
@@ -456,11 +402,6 @@ allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json
 # invites, or create/join or otherwise modify rooms.
 # They are effectively read-only.
 #
 # If you want to use this to screen people who register on your server,
 # you should add a room to `auto_join_rooms` that is public, and contains
 # information that new users can read (since they won't be able to DM
 # anyone, or send a message, and may be confused).
 #
 suspend_on_register = {{ matrix_continuwuity_config_suspend_on_register | to_json }}
 # Enabling this setting opens registration to anyone without restrictions.
@@ -490,29 +431,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 #
 #registration_token_file =
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
 # registration.
 #
 # IMPORTANT: "Verify the origin of reCAPTCHA solutions" **MUST** BE
 # DISABLED IF YOU WANT THE CAPTCHA TO WORK IN 3RD PARTY CLIENTS, OR
 # CLIENTS HOSTED ON DOMAINS OTHER THAN YOUR OWN!
 #
 # Registration must be enabled (`allow_registration` must be true) for
 # this to have any effect.
 #
 recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json }}
 # The private site key for reCaptcha.
 # If this is omitted, captcha registration will not work,
 # even if `recaptcha_site_key` is set.
 #
 recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
 # Controls whether encrypted rooms and events are allowed.
 #
-allow_encryption = {{ matrix_continuwuity_config_allow_encryption | to_json }}
+#allow_encryption = true
 # Controls whether federation is allowed or not. It is not recommended to
 # disable this after the fact due to potential federation breakage.
@@ -530,7 +451,7 @@ allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
 # Always calls /forget on behalf of the user if leaving a room. This is a
 # part of MSC4267 "Automatically forgetting rooms on leave"
 #
-forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leave | to_json }}
+#forget_forced_upon_leave = false
 # Set this to true to require authentication on the normally
 # unauthenticated profile retrieval endpoints (GET)
@@ -548,6 +469,12 @@ forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leav
 #
 #allow_public_room_directory_over_federation = false
 # Set this to true to allow your server's public room directory to be
 # queried without client authentication (access token) through the Client
 # APIs. Set this to false to protect against /publicRooms spiders.
 #
 #allow_public_room_directory_without_auth = false
 # Allow guests/unauthenticated users to access TURN credentials.
 #
 # This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -589,7 +516,7 @@ forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leav
 # Allow standard users to create rooms. Appservices and admins are always
 # allowed to create rooms
 #
-allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_json }}
+#allow_room_creation = true
 # Set to false to disable users from joining or creating room versions
 # that aren't officially supported by continuwuity.
@@ -602,32 +529,18 @@ allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_jso
 #allow_unstable_room_versions = true
 # Default room version continuwuity will create rooms with.
 # Note that this has to be a string since the room version is a string
 # rather than an integer. Forgetting the quotes will make the server fail
 # to start!
 #
-# Per spec, room version "11" is the default.
+# Per spec, room version 11 is the default.
 #
-#default_room_version = "11"
+#default_room_version = 11
-# Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
+# This item is undocumented. Please contribute documentation for it.
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 # Jaeger) that supports the OpenTelemetry Protocol.
 #
-# Configure your OTLP endpoint using the OTEL_EXPORTER_OTLP_ENDPOINT
+#allow_jaeger = false
 # environment variable (defaults to http://localhost:4318).
 #
 #allow_otlp = false
-# Filter for OTLP tracing spans. This controls which spans are exported
+# This item is undocumented. Please contribute documentation for it.
 # to the OTLP collector.
 #
-#otlp_filter = "info"
+#jaeger_filter = "info"
 # Protocol to use for OTLP tracing export. Options are "http" or "grpc".
 # The HTTP protocol uses port 4318 by default, while gRPC uses port 4317.
 #
 #otlp_protocol = "http"
 # If the 'perf_measurements' compile-time feature is enabled, enables
 # collecting folded stack trace profile of tracing spans using
@@ -753,21 +666,6 @@ log = {{ matrix_continuwuity_config_log | to_json }}
 #
 #log_thread_ids = false
 # Enable journald logging on Unix platforms
 #
 # When enabled, log output will be sent to the systemd journal
 # This is only supported on Unix platforms
 #
 #log_to_journald = false
 # The syslog identifier to use with journald logging
 #
 # Only used when journald logging is enabled
 #
 # Defaults to the binary name
 #
 #journald_identifier =
 # OpenID token expiration/TTL in seconds.
 #
 # These are the OpenID tokens that are primarily used for Matrix account
@@ -849,7 +747,7 @@ turn_secret = {{ matrix_continuwuity_config_turn_secret | to_json }}
 # example: ["#continuwuity:continuwuity.org",
 # "!main-1:continuwuity.org"]
 #
-auto_join_rooms = {{ matrix_continuwuity_config_auto_join_rooms | to_json }}
+#auto_join_rooms = []
 # Config option to automatically deactivate the account of any user who
 # attempts to join a:
@@ -1062,6 +960,14 @@ auto_join_rooms = {{ matrix_continuwuity_config_auto_join_rooms | to_json }}
 #
 #rocksdb_repair = false
 # This item is undocumented. Please contribute documentation for it.
 #
 #rocksdb_read_only = false
 # This item is undocumented. Please contribute documentation for it.
 #
 #rocksdb_secondary = false
 # Enables idle CPU priority for compaction thread. This is not enabled by
 # default to prevent compaction from falling too far behind on busy
 # systems.
@@ -1120,34 +1026,27 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 # Allow local (your server only) presence updates/requests.
 #
-# Local presence must be enabled for outgoing presence to function.
+# Note that presence on continuwuity is very fast unlike Synapse's. If
-#
+# using outgoing presence, this MUST be enabled.
 # Note that local presence is not as heavy on the CPU as federated
 # presence, but will still become more expensive the more local users you
 # have.
 #
 #allow_local_presence = true
-# Allow incoming federated presence updates.
+# Allow incoming federated presence updates/requests.
 #
-# This option enables processing inbound presence updates from other
+# This option receives presence updates from other servers, but does not
-# servers. Without it, remote users will appear as if they are always
+# send any unless `allow_outgoing_presence` is true. Note that presence on
-# offline to your local users. This does not affect typing indicators or
+# continuwuity is very fast unlike Synapse's.
 # read receipts.
 #
 #allow_incoming_presence = true
 # Allow outgoing presence updates/requests.
 #
-# This option sends presence updates to other servers, and requires that
+# This option sends presence updates to other servers, but does not
-# `allow_local_presence` is also enabled.
+# receive any unless `allow_incoming_presence` is true. Note that presence
 # on continuwuity is very fast unlike Synapse's. If using outgoing
 # presence, you MUST enable `allow_local_presence` as well.
 #
-# Note that outgoing presence is very heavy on the CPU and network, and
+#allow_outgoing_presence = true
 # will typically cause extreme strain and slowdowns for no real benefit.
 # There are only a few clients that even implement presence, so you
 # probably don't want to enable this.
 #
 allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence | to_json }}
 # How many seconds without presence updates before you become idle.
 # Defaults to 5 minutes.
@@ -1168,38 +1067,16 @@ allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence
 #
 #presence_timeout_remote_users = true
 # Allow local read receipts.
 #
 # Disabling this will effectively also disable outgoing federated read
 # receipts.
 #
 #allow_local_read_receipts = true
 # Allow receiving incoming read receipts from remote servers.
 #
 #allow_incoming_read_receipts = true
 # Allow sending read receipts to remote servers.
 #
 # Note that sending read receipts to remote servers in large rooms with
 # lots of other homeservers may cause additional strain on the CPU and
 # network.
 #
 #allow_outgoing_read_receipts = true
 # Allow local typing updates.
 #
 # Disabling this will effectively also disable outgoing federated typing
 # updates.
 #
 #allow_local_typing = true
 # Allow outgoing typing updates to federation.
 #
 # Note that sending typing indicators to remote servers in large rooms
 # with lots of other homeservers may cause additional strain on the CPU
 # and network.
 #
 #allow_outgoing_typing = true
 # Allow incoming typing updates from federation.
@@ -1333,7 +1210,7 @@ allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence
 # sender user's server name, inbound federation X-Matrix origin, and
 # outbound federation handler.
 #
-# You can set this to [".*"] to block all servers by default, and then
+# You can set this to ["*"] to block all servers by default, and then
 # use `allowed_remote_server_names` to allow only specific servers.
 #
 # example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
@@ -1442,7 +1319,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_previe
 # attack surface to your server, you are expected to be aware of the risks
 # by doing so.
 #
-url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_preview_domain_explicit_allowlist | to_json }}
+#url_preview_domain_explicit_allowlist = []
 # Vector list of explicit domains not allowed to send requests to for URL
 # previews.
@@ -1471,11 +1348,6 @@ url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_previe
 #
 #url_preview_max_spider_size = 256000
 # Total request timeout for URL previews (seconds). This includes
 # connection, request, and response body reading time.
 #
 #url_preview_timeout = 120
 # Option to decide whether you would like to run the domain allowlist
 # checks (contains and explicit) on the root domain or not. Does not apply
 # to URL contains allowlist. Defaults to false.
@@ -1487,16 +1359,7 @@ url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_previe
 # allowlist is still too broad for you but you still want to allow all the
 # subdomains under a root domain.
 #
-url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_root_domain | to_json }}
+#url_preview_check_root_domain = false
 # User agent that is used specifically when fetching url previews.
 #
 #url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
 # Determines whether audio and video files will be downloaded for URL
 # previews.
 #
 #url_preview_allow_audio_video = false
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
@@ -1550,25 +1413,12 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
 #
 #block_non_admin_invites = false
 # Enable or disable making requests to MSC4284 Policy Servers.
 # It is recommended you keep this enabled unless you experience frequent
 # connectivity issues, such as in a restricted networking environment.
 #
 #enable_msc4284_policy_servers = true
 # Enable running locally generated events through configured MSC4284
 # policy servers. You may wish to disable this if your server is
 # single-user for a slight speed benefit in some rooms, but otherwise
 # should leave it enabled.
 #
 #policy_server_check_own_events = true
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
 # a normal continuwuity admin command. The reply will be publicly visible
 # to the room, originating from the sender.
 #
-# example: \\!admin debug ping continuwuity.org
+# example: \\!admin debug ping puppygock.gay
 #
 #admin_escape_commands = true
@@ -1586,8 +1436,7 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
 # For example: `./continuwuity --execute "server admin-notice continuwuity
 # has started up at $(date)"`
 #
-# example: admin_execute = ["debug ping continuwuity.org", "debug echo
+# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
 # hi"]`
 #
 #admin_execute = []
@@ -1620,18 +1469,6 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
 #
 #admin_room_tag = "m.server_notice"
 # A list of Matrix IDs that are qualified as server admins.
 #
 # Any Matrix IDs within this list are regarded as an admin
 # regardless of whether they are in the admin room or not
 #
 #admins_list = []
 # Defines whether those within the admin room are added to the
 # admins_list.
 #
 #admins_from_room = true
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
 # This is NOT enabled by default.
 #
@@ -1783,11 +1620,6 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
 #
 #config_reload_signal = true
 # Allow search engines and crawlers to index Continuwuity's built-in
 # webpages served under the `/_continuwuity/` prefix.
 #
 #allow_web_indexing = false
 [global.tls]
 # Path to a valid TLS certificate file.
@@ -1866,152 +1698,3 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
 # is 33.55MB. Setting it to 0 disables blurhashing.
 #
 #blurhash_max_raw_size = 33554432
 [global.matrix_rtc]
 # A list of MatrixRTC foci (transports) which will be served via the
 # MSC4143 RTC transports endpoint at
 # `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
 # you'd want something like:
 # ```toml
 # [global.matrix_rtc]
 # foci = [
 #     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 # ]
 # ```
 #
 # To disable, set this to an empty list (`[]`).
 #
 foci = [
 {% for focus in matrix_continuwuity_config_rtc_foci %}
  { {% for key, value in focus.items() %}{{ key }} = {{ value | to_json }}{% if not loop.last %}, {% endif %}{% endfor %} }{% if not loop.last %}, {% endif %}
 {% endfor %}
 ]
 [global.ldap]
 # Whether to enable LDAP login.
 #
 # example: "true"
 #
 #enable = false
 # Whether to force LDAP authentication or authorize classical password
 # login.
 #
 # example: "true"
 #
 #ldap_only = false
 # URI of the LDAP server.
 #
 # example: "ldap://ldap.example.com:389"
 #
 #uri = ""
 # Root of the searches.
 #
 # example: "ou=users,dc=example,dc=org"
 #
 #base_dn = ""
 # Bind DN if anonymous search is not enabled.
 #
 # You can use the variable `{username}` that will be replaced by the
 # entered username. In such case, the password used to bind will be the
 # one provided for the login and not the one given by
 # `bind_password_file`. Beware: automatically granting admin rights will
 # not work if you use this direct bind instead of a LDAP search.
 #
 # example: "cn=ldap-reader,dc=example,dc=org" or
 # "cn={username},ou=users,dc=example,dc=org"
 #
 #bind_dn = ""
 # Path to a file on the system that contains the password for the
 # `bind_dn`.
 #
 # The server must be able to access the file, and it must not be empty.
 #
 #bind_password_file = ""
 # Search filter to limit user searches.
 #
 # You can use the variable `{username}` that will be replaced by the
 # entered username for more complex filters.
 #
 # example: "(&(objectClass=person)(memberOf=matrix))"
 #
 #filter = "(objectClass=*)"
 # Attribute to use to uniquely identify the user.
 #
 # example: "uid" or "cn"
 #
 #uid_attribute = "uid"
 # Attribute containing the display name of the user.
 #
 # example: "givenName" or "sn"
 #
 #name_attribute = "givenName"
 # Root of the searches for admin users.
 #
 # Defaults to `base_dn` if empty.
 #
 # example: "ou=admins,dc=example,dc=org"
 #
 #admin_base_dn = ""
 # The LDAP search filter to find administrative users for continuwuity.
 #
 # If left blank, administrative state must be configured manually for each
 # user.
 #
 # You can use the variable `{username}` that will be replaced by the
 # entered username for more complex filters.
 #
 # example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
 #
 #admin_filter = ""
 #[global.antispam]
 #[global.antispam.meowlnir]
 # The base URL on which to contact Meowlnir (before /_meowlnir/antispam).
 #
 # Example: "http://127.0.0.1:29339"
 #
 #base_url =
 # The authentication secret defined in antispam->secret. Required for
 # continuwuity to talk to Meowlnir.
 #
 #secret =
 # The management room for which to send requests
 #
 #management_room =
 # If enabled run all federated join attempts (both federated and local)
 # through the Meowlnir anti-spam checks.
 #
 # By default, only join attempts for rooms with the `fi.mau.spam_checker`
 # restricted join rule are checked.
 #
 #check_all_joins = false
 #[global.antispam.draupnir]
 # The base URL on which to contact Draupnir (before /api/).
 #
 # Example: "http://127.0.0.1:29339"
 #
 #base_url =
 # The authentication secret defined in
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@@ -361,13 +361,3 @@ matrix_dendrite_media_api_max_thumbnail_generators: 10
 # Controls whether the full-text search engine is enabled
 matrix_dendrite_sync_api_search_enabled: false
 # matrix_dendrite_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_dendrite_restart_necessary: false
--- a/roles/custom/matrix-dendrite/tasks/setup_install.yml
+++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml
@@ -55,10 +55,10 @@
    force_source: "{{ matrix_dendrite_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_container_image_force_pull }}"
  when: "not matrix_dendrite_container_image_self_build | bool"
-  register: matrix_dendrite_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_dendrite_container_image_pull_result is not failed
+  until: result is not failed
 # We do this so that the signing key would get generated.
 # We don't use the `docker_container` module, because using it with `cap_drop` requires
@@ -89,7 +89,6 @@
    mode: '0644'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_dendrite_config_result
 - when: "matrix_dendrite_container_image_self_build | bool"
  block:
@@ -140,21 +139,6 @@
    - src: bin/create-account.j2
      dest: "{{ matrix_dendrite_bin_path }}/create-account"
      mode: "0750"
-  register: matrix_dendrite_support_files_result
+    - src: systemd/matrix-dendrite.service.j2
 - name: Ensure matrix-dendrite.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-dendrite.service.j2"
      dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service"
-    mode: '0644'
+      mode: "0644"
  register: matrix_dendrite_systemd_service_result
 - name: Determine whether Dendrite needs a restart
  ansible.builtin.set_fact:
    matrix_dendrite_restart_necessary: >-
      {{
        matrix_dendrite_config_result.changed | default(false)
        or matrix_dendrite_support_files_result.changed | default(false)
        or matrix_dendrite_systemd_service_result.changed | default(false)
        or matrix_dendrite_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-element-admin/defaults/main.yml
+++ b/roles/custom/matrix-element-admin/defaults/main.yml
@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.11
+matrix_element_admin_version: 0.1.10
 matrix_element_admin_scheme: https
--- a/roles/custom/matrix-element-call/defaults/main.yml
+++ b/roles/custom/matrix-element-call/defaults/main.yml
@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.18.0
+matrix_element_call_version: v0.17.0
 matrix_element_call_scheme: https
@@ -153,13 +153,3 @@ matrix_element_call_config_default_server_config_m_homeserver_server_name: "{{ m
 # Controls the livekit/livekit_service_url property in the config.json file.
 matrix_element_call_config_livekit_livekit_service_url: ""
 # matrix_element_call_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_element_call_restart_necessary: false
--- a/roles/custom/matrix-element-call/tasks/install.yml
+++ b/roles/custom/matrix-element-call/tasks/install.yml
@@ -23,7 +23,6 @@
    mode: '0640'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_element_call_config_result
 - name: Ensure Element Call container labels file is in place
  ansible.builtin.template:
@@ -32,17 +31,16 @@
    mode: '0640'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_element_call_support_files_result
 - name: Ensure Element Call container image is pulled
  community.docker.docker_image:
    name: "{{ matrix_element_call_container_image }}"
    source: pull
    force_source: "{{ matrix_element_call_container_image_force_pull }}"
-  register: matrix_element_call_container_image_pull_result
+  register: element_call_image_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_element_call_container_image_pull_result is not failed
+  until: element_call_image_result is not failed
 - name: Ensure Element Call container network is created
  community.general.docker_network:
@@ -56,14 +54,3 @@
    src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
    mode: '0644'
  register: matrix_element_call_systemd_service_result
 - name: Determine whether Element Call needs a restart
  ansible.builtin.set_fact:
    matrix_element_call_restart_necessary: >-
      {{
        matrix_element_call_config_result.changed | default(false)
        or matrix_element_call_support_files_result.changed | default(false)
        or matrix_element_call_systemd_service_result.changed | default(false)
        or matrix_element_call_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml
+++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml
@@ -40,7 +40,6 @@
      path: "{{ matrix_ldap_registration_proxy_container_src_files_path }}"
      pull: true
  when: true
  register: matrix_ldap_registration_proxy_container_image_build_result
 - name: Ensure matrix_ldap_registration_proxy config installed
  ansible.builtin.template:
@@ -83,5 +82,4 @@
        matrix_ldap_registration_proxy_config_result.changed | default(false)
        or matrix_ldap_registration_proxy_support_files_result.changed | default(false)
        or matrix_ldap_registration_proxy_systemd_service_result.changed | default(false)
        or matrix_ldap_registration_proxy_container_image_build_result.changed | default(false)
      }}
--- a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml
+++ b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.4.2
+matrix_livekit_jwt_service_version: 0.4.1
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
--- a/roles/custom/matrix-matrixto/tasks/install.yml
+++ b/roles/custom/matrix-matrixto/tasks/install.yml
@@ -45,7 +45,6 @@
      path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}"
      pull: true
      args:
  register: matrix_matrixto_container_image_build_result
 - name: Ensure Matrix.to container network is created via community.docker.docker_network
  when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module'
@@ -80,5 +79,4 @@
      {{
        matrix_matrixto_support_files_result.changed | default(false)
        or matrix_matrixto_systemd_service_result.changed | default(false)
        or matrix_matrixto_container_image_build_result.changed | default(false)
      }}
--- a/roles/custom/matrix-media-repo/defaults/main.yml
+++ b/roles/custom/matrix-media-repo/defaults/main.yml
@@ -939,13 +939,3 @@ matrix_media_repo_pgo_submit_key: "INSERT_VALUE_HERE"
 # Specifies whether the homeserver supports federation
 matrix_media_repo_homeserver_federation_enabled: true
 # matrix_media_repo_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_media_repo_restart_necessary: false
--- a/roles/custom/matrix-media-repo/tasks/setup_install.yml
+++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml
@@ -35,7 +35,6 @@
  with_items:
    - env
    - labels
  register: matrix_media_repo_support_files_result
 - name: Ensure media-repo configuration installed
  ansible.builtin.template:
@@ -44,7 +43,6 @@
    mode: '0640'
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: matrix_media_repo_config_result
 - name: Ensure media-repo Docker image is pulled
  community.docker.docker_image:
@@ -53,10 +51,10 @@
    force_source: "{{ matrix_media_repo_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_container_image_force_pull }}"
  when: "not matrix_media_repo_container_image_self_build | bool"
-  register: matrix_media_repo_container_image_pull_result
+  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: matrix_media_repo_container_image_pull_result is not failed
+  until: result is not failed
 - when: "matrix_media_repo_container_image_self_build | bool"
  block:
@@ -155,14 +153,3 @@
    src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service"
    mode: '0640'
  register: matrix_media_repo_systemd_service_result
 - name: Determine whether media-repo needs a restart
  ansible.builtin.set_fact:
    matrix_media_repo_restart_necessary: >-
      {{
        matrix_media_repo_config_result.changed | default(false)
        or matrix_media_repo_support_files_result.changed | default(false)
        or matrix_media_repo_systemd_service_result.changed | default(false)
        or matrix_media_repo_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-static-files/defaults/main.yml
+++ b/roles/custom/matrix-static-files/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.42.0
+matrix_static_files_version: 2.41.0
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"
--- a/roles/custom/matrix-synapse-admin/defaults/main.yml
+++ b/roles/custom/matrix-synapse-admin/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.4-etke54
+matrix_synapse_admin_version: v0.11.1-etke53
 matrix_synapse_admin_container_image: "{{ matrix_synapse_admin_container_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_container_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_container_image_registry_prefix_upstream }}"
 matrix_synapse_admin_container_image_registry_prefix_upstream: "{{ matrix_synapse_admin_container_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml
@@ -6,16 +6,6 @@
 ---
 - name: Fail if matrix-synapse-admin is enabled for a non-Synapse homeserver
  ansible.builtin.fail:
    msg: >-
      matrix-synapse-admin can only be used with the Synapse homeserver implementation.
      Your configuration has `matrix_synapse_admin_enabled: true`, but `matrix_homeserver_implementation` is set to `{{ matrix_homeserver_implementation }}`.
      Disable matrix-synapse-admin or switch to Synapse.
  when:
    - matrix_synapse_admin_enabled | bool
    - matrix_homeserver_implementation != 'synapse'
 - name: (Deprecation) Catch and report renamed matrix-synapse-admin settings
  ansible.builtin.fail:
    msg: >-
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
@@ -0,0 +1,373 @@
 # SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2023 - 2024 Nikita Chernyi
 # SPDX-FileCopyrightText: 2023 Dan Arnfield
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2024 Charles Wright
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 Michael Hollister
 # SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 # matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled.
 #
 # When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`).
 # In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit.
 #
 # When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc.
 # matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to.
 #
 # Project source code URL: https://github.com/nginx/nginx
 matrix_synapse_reverse_proxy_companion_enabled: true
 # renovate: datasource=docker depName=nginx
 matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
 matrix_synapse_reverse_proxy_companion_njs_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/njs"
 # List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
 matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
 matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
 matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
 # List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
 matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
 matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_container_image_tag }}"
 matrix_synapse_reverse_proxy_companion_container_image_registry_prefix: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream }}"
 matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}"
 matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default: "docker.io/"
 matrix_synapse_reverse_proxy_companion_container_image_tag: "{{ matrix_synapse_reverse_proxy_companion_version }}"
 matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
 matrix_synapse_reverse_proxy_companion_container_network: ""
 # A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
 # The playbook does not create these networks, so make sure they already exist.
 matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}"
 matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: []
 matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: []
 # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
 matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
 # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
 matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
 # matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: ''
 # Controls whether a compression middleware will be injected into the middlewares list.
 # This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: false
 matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: ""
 # Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 # Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
 # This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: false
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: ""
 # Controls whether labels will be added that expose the /_synapse/client paths
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 # Controls whether labels will be added that expose the /_synapse/admin paths
 # Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 # Controls whether labels will be added that expose the /_synapse/admin paths on the internal Traefik entrypoint.
 # This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: false
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_priority: 0
 matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: ""
 # Controls whether labels will be added that expose the Server-Server API (Federation API).
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
 # TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
 # A list of extra arguments to pass to the container
 # Also see `matrix_synapse_reverse_proxy_companion_container_arguments`
 matrix_synapse_reverse_proxy_companion_container_extra_arguments: []
 # matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container.
 # This list is managed by the playbook. You're not meant to override this variable.
 # If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
 matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: []
 # matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container.
 # You're not meant to override this variable.
 # If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
 matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}"
 # The amount of worker processes and connections
 # Consider increasing these when you are expecting high amounts of traffic
 # http://nginx.org/en/docs/ngx_core_module.html#worker_connections
 matrix_synapse_reverse_proxy_companion_worker_processes: auto
 matrix_synapse_reverse_proxy_companion_worker_connections: 1024
 # Option to disable the access log
 matrix_synapse_reverse_proxy_companion_access_log_enabled: true
 # Controls whether to send access logs to a remote syslog-compatible server
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
 # This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}"
 matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}"
 # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
 # for big matrixservers to enlarge the number of open files to prevent timeouts
 # matrix_synapse_reverse_proxy_companion_additional_configuration_blocks:
 #  - 'worker_rlimit_nofile 30000;'
 matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
 matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
 matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: []
 # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
 # Nginx Default: proxy_connect_timeout 60s;   #Defines a timeout for establishing a connection with a proxied server
 # Nginx Default: proxy_send_timeout 60s;      #Sets a timeout for transmitting a request to the proxied server.
 # Nginx Default: proxy_read_timeout 60s;      #Defines a timeout for reading a response from the proxied server.
 # Nginx Default: send_timeout 60s;            #Sets a timeout for transmitting a response to the client.
 #
 # For more information visit:
 # http://nginx.org/en/docs/http/ngx_http_proxy_module.html
 # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
 # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
 #
 # Here we are sticking with nginx default values change this value carefully.
 matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60
 matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60
 matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60
 matrix_synapse_reverse_proxy_companion_send_timeout: 60
 # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
 #
 # Otherwise, we get warnings like this:
 # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/…/fullchain.pem"
 #
 # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
 matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11
 matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion"
 # matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is
 matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}'
 # The maximum body size for client requests to any of the endpoints on the Client-Server API.
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
 matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 100
 # The buffer size for client requests to any of the endpoints on the Client-Server API.
 matrix_synapse_reverse_proxy_companion_client_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}"
 # matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
 matrix_synapse_reverse_proxy_companion_federation_api_enabled: true
 # matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is
 matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}'
 # The maximum body size for client requests to any of the endpoints on the Federation API.
 # We auto-calculate this based on the Client-Server API's maximum body size, but use a minimum value to ensure we don't go to low.
 matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ [matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum, (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3] | max }}"
 matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum: 100
 # The buffer size for client requests to any of the endpoints on the Federation API.
 matrix_synapse_reverse_proxy_companion_federation_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}"
 # A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API
 matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API
 matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: []
 # synapse worker activation and endpoint mappings.
 # These are all populated via Ansible group variables.
 matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false
 matrix_synapse_reverse_proxy_companion_synapse_workers_list: []
 matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: []
 matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: []
 matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register)
 matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$))
 # Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108)
 matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$
 matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$
 # synapse content caching
 matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false
 matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache
 matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC"
 matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m"
 matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h"
 matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024
 matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h"
 # Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header.
 # The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server.
 # As such, it trusts the protocol scheme forwarded by the upstream proxy.
 matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true
 matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}"
 ########################################################################################
 #                                                                                      #
 # njs module                                                                           #
 #                                                                                      #
 ########################################################################################
 # Controls whether the njs module is loaded.
 matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled }}"
 ########################################################################################
 #                                                                                      #
 # /njs module                                                                          #
 #                                                                                      #
 ########################################################################################
 ########################################################################################
 #                                                                                      #
 # Whoami-based sync worker routing                                                     #
 #                                                                                      #
 ########################################################################################
 # Controls whether the whoami-based sync worker router is enabled.
 # When enabled, the reverse proxy will call Synapse's /_matrix/client/v3/account/whoami endpoint
 # to resolve access tokens to usernames, allowing consistent routing of requests from the same user
 # to the same sync worker regardless of which device or token they use.
 #
 # This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse
 # handles the token validation internally.
 #
 # Enabled by default when there are sync workers, because sync workers benefit from user-level
 # stickiness due to their per-user in-memory caches.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}"
 # The whoami endpoint path (Matrix spec endpoint).
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint: /_matrix/client/v3/account/whoami
 # The full URL to the whoami endpoint.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url: "http://{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint }}"
 # Cache duration (in seconds) for whoami lookup results.
 # Token -> username mappings are cached to avoid repeated whoami calls.
 # A longer TTL reduces load on Synapse but means username changes take longer to take effect.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds: 3600
 # Size of the shared memory zone for caching whoami results (in megabytes).
 # Each cached entry is approximately 100-200 bytes.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb: 1
 # Controls whether verbose logging is enabled for the whoami sync worker router.
 # When enabled, logs cache hits/misses and routing decisions.
 # Useful for debugging, but should be disabled in production.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: false
 # The length of the access token to show in logs when logging is enabled.
 # Keeping this short is a good idea from a security perspective.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length: 12
 # Controls whether debug response headers are added to sync requests.
 # When enabled, adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers.
 # Useful for debugging routing behavior, but should be disabled in production.
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: false
 ########################################################################################
 #                                                                                      #
 # /Whoami-based sync worker routing                                                    #
 #                                                                                      #
 ########################################################################################
 # matrix_synapse_reverse_proxy_companion_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_synapse_reverse_proxy_companion_restart_necessary: false
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml
@@ -13,10 +13,10 @@
    - install-synapse
  block:
    - when: matrix_synapse_reverse_proxy_companion_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/validate_config.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_synapse_reverse_proxy_companion_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_install.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 - tags:
    - setup-all
@@ -24,4 +24,4 @@
    - setup-synapse
  block:
    - when: not matrix_synapse_reverse_proxy_companion_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_uninstall.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml
@@ -26,19 +26,19 @@
    group: "{{ matrix_group_name }}"
    mode: '0644'
  with_items:
-    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/nginx.conf.j2"
+    - src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
      dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf"
-    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2"
+    - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
      dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf"
-    - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
+    - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
      dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf"
-    - src: "{{ role_path }}/templates/reverse_proxy_companion/labels.j2"
+    - src: "{{ role_path }}/templates/labels.j2"
      dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels"
  register: matrix_synapse_reverse_proxy_companion_config_result
 - name: Ensure matrix-synapse-reverse-proxy-companion whoami sync worker router njs script is deployed
  ansible.builtin.template:
-    src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2"
+    src: "{{ role_path }}/templates/nginx/njs/whoami_sync_worker_router.js.j2"
    dest: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}/whoami_sync_worker_router.js"
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
@@ -71,7 +71,7 @@
 - name: Ensure matrix-synapse-reverse-proxy-companion.service installed
  ansible.builtin.template:
-    src: "{{ role_path }}/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2"
+    src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service"
    mode: '0644'
  register: matrix_synapse_reverse_proxy_companion_systemd_service_result
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2
@@ -10,61 +10,8 @@
 {% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %}
 {% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %}
 {% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %}
 {% set stream_writer_push_rules_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'push_rules') | list %}
 {% set stream_writer_device_lists_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'device_lists') | list %}
 {% set stream_writer_thread_subscriptions_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'thread_subscriptions') | list %}
 {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %}
 {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %}
 {% set stream_writer_client_server_routes = [
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream',
 		'workers': stream_writer_typing_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_typing_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream',
 		'workers': stream_writer_to_device_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_to_device_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream',
 		'workers': stream_writer_account_data_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_account_data_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream',
 		'workers': stream_writer_receipts_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_receipts_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream',
 		'workers': stream_writer_presence_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_presence_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream',
 		'workers': stream_writer_push_rules_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_push_rules_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream',
 		'workers': stream_writer_device_lists_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_device_lists_stream_workers_upstream',
 	},
 	{
 		'doc_url': 'https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247',
 		'workers': stream_writer_thread_subscriptions_stream_workers,
 		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_thread_subscriptions_stream_worker_client_server_locations,
 		'upstream': 'stream_writer_thread_subscriptions_stream_workers_upstream',
 	},
 ] %}
 {% macro render_worker_upstream(name, workers, load_balance) %}
 	upstream {{ name }} {
@@ -87,7 +34,6 @@
 {% macro render_locations_to_upstream(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
 		set $matrix_upstream_label "{{ upstream_name }}";
 		proxy_pass http://{{ upstream_name }}$request_uri;
 		proxy_http_version 1.1;
 		proxy_set_header Connection "";
@@ -95,28 +41,9 @@
 	{% endfor %}
 {% endmacro %}
 {% macro render_locations_to_upstream_or_main(locations, workers, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
 		{% if workers | length > 0 %}
 		set $matrix_upstream_label "{{ upstream_name }}";
 		proxy_pass http://{{ upstream_name }}$request_uri;
 		proxy_http_version 1.1;
 		proxy_set_header Connection "";
 		{% else %}
 		{# Use the embedded DNS resolver in Docker containers to discover the service #}
 		resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s;
 		set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}";
 		proxy_pass http://$backend;
 		{% endif %}
 	}
 	{% endfor %}
 {% endmacro %}
 {% macro render_locations_to_upstream_with_whoami_sync_worker_router(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
 		set $matrix_upstream_label "{{ upstream_name }}";
 		# Use auth_request to call the whoami sync worker router.
 		# The handler resolves the access token to a user identifier and returns it
 		# in the X-User-Identifier header, which is then used for upstream hashing.
@@ -125,7 +52,6 @@
 		{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled %}
 		add_header X-Sync-Worker-Router-User-Identifier $user_identifier always;
 		add_header X-Sync-Worker-Router-Upstream-Label $matrix_upstream_label always;
 		add_header X-Sync-Worker-Router-Upstream $upstream_addr always;
 		{% endif %}
@@ -174,11 +100,25 @@ map $request_uri $room_name {
 	{{- render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }}
 	{% endif %}
-	{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+	{% if stream_writer_typing_stream_workers | length > 0 %}
-	{% if stream_writer_client_server_route.workers | length > 0 %}
+	{{- render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, '') }}
-	{{- render_worker_upstream(stream_writer_client_server_route.upstream, stream_writer_client_server_route.workers, '') }}
+	{% endif %}
 	{% if stream_writer_to_device_stream_workers | length > 0 %}
 	{{- render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, '') }}
 	{% endif %}
 	{% if stream_writer_account_data_stream_workers | length > 0 %}
 	{{- render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, '') }}
 	{% endif %}
 	{% if stream_writer_receipts_stream_workers | length > 0 %}
 	{{- render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, '') }}
 	{% endif %}
 	{% if stream_writer_presence_stream_workers | length > 0 %}
 	{{- render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, '') }}
 	{% endif %}
 	{% endfor %}
 	{% if media_repository_workers | length > 0 %}
 	{{- render_worker_upstream('media_repository_workers_upstream', media_repository_workers, 'least_conn;') }}
@@ -202,7 +142,6 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
 	set $matrix_upstream_label "synapse_main_client_api";
 	{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %}
 	# Internal location for whoami-based sync worker routing.
@@ -247,16 +186,36 @@ server {
 		{# Workers redirects BEGIN #}
 		{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
 			# {{ stream_writer_client_server_route.doc_url }}
 			{{ render_locations_to_upstream_or_main(stream_writer_client_server_route.locations, stream_writer_client_server_route.workers, stream_writer_client_server_route.upstream) }}
 		{% endfor %}
 		{% if generic_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }}
 		{% endif %}
 		{% if stream_writer_typing_stream_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }}
 		{% endif %}
 		{% if stream_writer_to_device_stream_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }}
 		{% endif %}
 		{% if stream_writer_account_data_stream_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }}
 		{% endif %}
 		{% if stream_writer_receipts_stream_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }}
 		{% endif %}
 		{% if stream_writer_presence_stream_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }}
 		{% endif %}
 		{% if room_workers | length > 0 %}
 			# room workers
 			# https://tcpipuk.github.io/synapse/deployment/workers.html
@@ -282,7 +241,6 @@ server {
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
 			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
 			location ~ {{ location }} {
 					set $matrix_upstream_label "media_repository_workers_upstream";
 				proxy_pass http://media_repository_workers_upstream$request_uri;
 				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
@@ -329,7 +287,6 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
 	set $matrix_upstream_label "synapse_main_federation_api";
 	{% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %}
 		# Federation overrides — These locations must go to the main Synapse process
@@ -355,7 +312,6 @@ server {
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
 			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
 			location ~ {{ location }} {
 					set $matrix_upstream_label "media_repository_workers_upstream";
 				proxy_pass http://media_repository_workers_upstream$request_uri;
 				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2.license
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2.license
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
@@ -48,14 +48,12 @@ http {
 	js_shared_dict_zone zone=whoami_sync_worker_router_cache:{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb }}m;
 	{% endif %}
-	{% set access_log_format_fragments = matrix_synapse_reverse_proxy_companion_access_log_format_presets[matrix_synapse_reverse_proxy_companion_access_log_format] %}
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-	log_format access_log_fmt
+		'$status $body_bytes_sent "$http_referer" '
-	{% for fragment in access_log_format_fragments %}
+		'"$http_user_agent" "$http_x_forwarded_for"';
 		'{{ fragment }}'{% if loop.last %};{% endif %}
 	{% endfor %}
 	{% if matrix_synapse_reverse_proxy_companion_access_log_enabled %}
-	access_log /var/log/nginx/access.log access_log_fmt;
+	access_log /var/log/nginx/access.log main;
 	{% else %}
 	access_log off;
 	{% endif %}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	fb134760ce	Changes before error encountered Co-authored-by: spantaleev <388669+spantaleev@users.noreply.github.com>	2026-02-26 02:42:07 +00:00
copilot-swe-agent[bot]	69c5385b63	Make exim-relay benefits section more concise Co-authored-by: spantaleev <388669+spantaleev@users.noreply.github.com>	2026-02-26 02:41:56 +00:00
copilot-swe-agent[bot]	4c7b1aff41	Add "Why use exim-relay?" section to email documentation Co-authored-by: spantaleev <388669+spantaleev@users.noreply.github.com>	2026-02-25 20:33:41 +00:00
copilot-swe-agent[bot]	9153c22d31	Initial plan	2026-02-25 20:31:28 +00:00
`@@ -1,2 +1,2 @@`
	`[codespell]`	`[codespell]`
	`ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr,shema,commet,Commet`	`ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr,shema`
		`@@ -1,3 +0,0 @@`
			`SPDX-FileCopyrightText: 2026 MDAD project contributors`

			`SPDX-License-Identifier: AGPL-3.0-or-later`