chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.150.0

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5066

.pre-commit-config.yaml

@@ -30,3 +30,11 @@ repos:
         files: '^roles/custom/'
         args: ['roles/custom']
         pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-examples-vars-migration-version
+        name: Check examples/vars.yml migration version matches expected
+        entry: bin/check-examples-vars-migration-version.sh
+        language: script
+        files: '(examples/vars\.yml|roles/custom/matrix_playbook_migration/defaults/main\.yml)'
+        pass_filenames: false

CHANGELOG.md

@@ -1,3 +1,36 @@
+# 2026-03-23
+
+## Migration validation system introduced
+
+Previously, when updating your setup, you had to remember to read the [CHANGELOG](CHANGELOG.md) file or risk breakage.
+
+Now, the playbook includes a migration validation system that ensures you're aware of breaking changes before they affect your deployment.
+You're now forced to acknowledge each breaking change, unless you wish to live dangerously (see below).
+
+A new `matrix_playbook_migration_validated_version` variable has been introduced.
+
+**New users** who started from the [example `vars.yml`](examples/vars.yml) file already have this variable set and do not need to do anything.
+
+**Existing users** will need to add the following to their `vars.yml` file after reviewing all changelog entries up to now:
+
+```yml
+matrix_playbook_migration_validated_version: v2026.03.23.0
+```
+
+Going forward, whenever a breaking change is introduced the playbook will:
+
+- bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
+
+- fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
+
+After reviewing and adapting your setup, you simply update the variable to the new version.
+
+If you'd like to live dangerously and skip these checks (not recommended), you can set this once and be done with it:
+
+```yml
+matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+```
+
 # 2026-03-19
 
 ## Matrix Authentication Service now prefers UNIX sockets for playbook-managed Postgres

bin/check-examples-vars-migration-version.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# Ensures that the migration validated version in examples/vars.yml
+# matches the expected version in the matrix_playbook_migration role defaults.
+
+set -euo pipefail
+
+defaults_file="roles/custom/matrix_playbook_migration/defaults/main.yml"
+examples_file="examples/vars.yml"
+
+expected_version=$(grep -oP '^matrix_playbook_migration_expected_version:\s*"?\K[^"]+' "$defaults_file")
+examples_version=$(grep -oP '^matrix_playbook_migration_validated_version:\s*"?\K[^"]+' "$examples_file")
+
+if [ -z "$expected_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_expected_version from $defaults_file"
+	exit 1
+fi
+
+if [ -z "$examples_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_validated_version from $examples_file"
+	exit 1
+fi
+
+if [ "$expected_version" != "$examples_version" ]; then
+	echo "ERROR: Migration version mismatch!"
+	echo "  $defaults_file has expected version: $expected_version"
+	echo "  $examples_file has validated version: $examples_version"
+	echo ""
+	echo "Please update $examples_file to match."
+	exit 1
+fi

examples/vars.yml

@@ -1,4 +1,9 @@
 ---
+# This variable acknowledges that you've reviewed breaking changes up to this version.
+# The playbook will fail if this is outdated, guiding you through what changed.
+# See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
+matrix_playbook_migration_validated_version: v2026.03.23.0
+
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
 #

group_vars/matrix_servers

@@ -4909,6 +4909,8 @@ matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_
 
 matrix_synapse_experimental_features_msc4140_enabled: "{{ matrix_rtc_enabled }}"
 
+matrix_synapse_experimental_features_msc4143_enabled: "{{ matrix_rtc_enabled }}"
+
 matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
 
 # Disable password authentication when delegating authentication to Matrix Authentication Service.

requirements.yml

@@ -30,7 +30,7 @@
   version: v2.6.1-3
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.99.1-r0-0-1
+  version: v4.99.1-r0-1-0
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
   version: v11.6.5-9
@@ -42,7 +42,7 @@
   version: v10741-2
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.12-1
+  version: v1.10.0-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.19.2-1
@@ -75,7 +75,7 @@
   version: v0.19.1-3
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.6.0-2
+  version: v1.6.0-3
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
@@ -87,7 +87,7 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.11-2
+  version: v3.6.11-3
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-5

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.13.0
+matrix_authentication_service_version: 1.14.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.16.0
+matrix_bot_baibot_version: v1.16.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.12
+matrix_client_element_version: v1.12.13
 
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.149.1
+matrix_synapse_version: v1.150.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1430,6 +1430,13 @@ matrix_synapse_experimental_features_msc4140_enabled: false
 # See `matrix_synapse_experimental_features_msc4140_enabled`.
 matrix_synapse_max_event_delay_duration: 24h
 
+# Controls whether to enable the MSC4143 experimental feature (RTC transports).
+#
+# This is used by MatrixRTC clients to discover the unstable RTC transports API.
+#
+# See https://github.com/matrix-org/matrix-spec-proposals/pull/4143
+matrix_synapse_experimental_features_msc4143_enabled: false
+
 # Controls whether to enable the MSC4222 experimental feature (adding `state_after` to sync v2).
 #
 # Allow clients to opt-in to a change of the sync v2 API that allows them to correctly track the state of the room.

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -3010,6 +3010,9 @@ experimental_features:
   {% if matrix_synapse_experimental_features_msc4140_enabled %}
   msc4140_enabled: true
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4143_enabled %}
+  msc4143_enabled: true
+  {% endif %}
   {% if matrix_synapse_experimental_features_msc4222_enabled %}
   msc4222_enabled: true
   {% endif %}

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -1,9 +1,27 @@
-# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2023 - 2026 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
+
+# The version that the user has validated their setup against.
+# When empty, the user will be prompted to set this variable.
+# New users should set this to the current expected version (see below).
+# See `examples/vars.yml` and `matrix_playbook_migration_expected_version` for the recommended value.
+matrix_playbook_migration_validated_version: ''
+
+# The version that the playbook expects the user to have validated against.
+# This is bumped whenever a breaking change is introduced.
+# The value configured here needs to exist in `matrix_playbook_migration_breaking_changes` as well.
+matrix_playbook_migration_expected_version: "v2026.03.23.0"
+
+# A list of breaking changes, used to inform users what changed between their validated version and the expected version.
+matrix_playbook_migration_breaking_changes:
+  - version: "v2026.03.23.0"
+    summary: "Initial migration validation system"
+    changelog_url: "https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2026-03-22"
+
 # Controls if (`matrix_prometheus_nginxlog_exporter` -> `prometheus_nginxlog_exporter`) validation will run.
 matrix_playbook_migration_matrix_prometheus_nginxlog_exporter_migration_validation_enabled: true
 

roles/custom/matrix_playbook_migration/tasks/main.yml

@@ -1,9 +1,14 @@
-# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2022 - 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
 
+- tags:
+    - always
+  block:
+    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_migration_version.yml"
+
 - tags:
     - setup-all
     - install-all

roles/custom/matrix_playbook_migration/tasks/validate_migration_version.yml

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if migration version is not validated (first-time onboarding)
+  ansible.builtin.fail:
+    msg: >-
+      This playbook now uses a migration validation system to help you stay aware of breaking changes.
+
+      It appears that you haven't configured the `matrix_playbook_migration_validated_version` variable yet.
+
+      Please review the changelog (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md)
+      and then add the following to your vars.yml file:
+
+      matrix_playbook_migration_validated_version: {{ matrix_playbook_migration_expected_version }}
+  when: "matrix_playbook_migration_validated_version == ''"
+
+- name: Fail if migration version is outdated
+  ansible.builtin.fail:
+    msg: |-
+      Your validated migration version ({{ matrix_playbook_migration_validated_version }}) is behind the expected version ({{ matrix_playbook_migration_expected_version }}).
+
+      The following breaking changes have been introduced since your last validation:
+
+      {% for item in matrix_playbook_migration_breaking_changes | selectattr('version', '>', matrix_playbook_migration_validated_version) | sort(attribute='version') %}
+      - {{ item.version }}: {{ item.summary }} ({{ item.changelog_url }})
+      {% endfor %}
+
+      After reviewing the above changes and adapting your setup, update your vars.yml:
+
+      matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+  when: "matrix_playbook_migration_validated_version != '' and matrix_playbook_migration_validated_version < matrix_playbook_migration_expected_version"