Synapse register user: wait for synapse to be available

chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10

CHANGELOG.md

@@ -1,5 +1,36 @@
+# 2026-02-09
+
+## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
+
+**Affects**: users with [matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) enabled (`matrix_media_repo_enabled: true`)
+
+The `matrix_media_repo_datastore_file_id` and `matrix_media_repo_datastore_s3_id` variables are no longer auto-configured with values. They must now be explicitly defined in your `vars.yml` file. The playbook will fail with a helpful error if they are not set (when needed).
+
+These were never meant to be auto-configured. They were derived from `matrix_homeserver_generic_secret_key`, which is intended for secrets that are OK to change subsequently (and Ansible would assist in propagating these changes). matrix-media-repo datastore IDs are not secrets — they are static identifiers linking media to storage backends, and **must not change** after first use.
+
+**For existing installations**, retrieve your current values from the server:
+
+```sh
+grep 'id:' /matrix/media-repo/config/media-repo.yaml
+```
+
+Then add to your `vars.yml`:
+
+```yaml
+matrix_media_repo_datastore_file_id: "YOUR_FILE_DATASTORE_ID_HERE"
+
+# Only if you use S3 storage:
+# matrix_media_repo_datastore_s3_id: "YOUR_S3_DATASTORE_ID_HERE"
+```
+
+**Why do this?**: This change allows us to **remove the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library** from the [prerequisites](docs/prerequisites.md), as it was the last component that depended on it.
+
 # 2026-02-08
 
+## Zulip bridge has been removed from the playbook
+
+Zulip bridge has been removed from the playbook, as it doesn't work, and the maintainer seems to have abandoned it. See [this issue](https://github.com/GearKite/MatrixZulipBridge/issues/23) for more context.
+
 ## Switched to faster secret derivation for service passwords
 
 We've switched the method used for deriving service passwords (database passwords, appservice tokens, etc.) from the `matrix_homeserver_generic_secret_key` variable.

README.md

@@ -133,7 +133,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | ❌ | Bridge to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) |
 | [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
 | [matrix-wechat](https://github.com/duo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) | [Link](docs/configuring-playbook-bridge-wechat.md) |
-| [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) | [Link](docs/configuring-playbook-bridge-zulip.md) |
 | [Heisenbridge](https://github.com/hifi/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) |
 | [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
 | [mx-puppet-steam](https://codeberg.org/icewind/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |

docs/configuring-playbook-bridge-zulip.md

@@ -1,83 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
-SPDX-FileCopyrightText: 2021 Toni Spets
-SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
-
-SPDX-License-Identifier: AGPL-3.0-or-later
--->
-
-# Setting up a Zulip bridge (optional)
-
-The playbook can install and configure [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) for you.
-
-See the project's [documentation](https://github.com/GearKite/MatrixZulipBridge/blob/main/README.md) to learn what it does and why it might be useful to you.
-
-## Adjusting DNS records (optional)
-
-By default, this playbook installs the Zulip bridge on the `matrix.` subdomain, at the `/zulip` path (https://matrix.example.com/zulip). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section.
-
-If you wish to adjust it, see the section [below](#adjusting-the-zulip-bridge-url-optional) for details about DNS configuration.
-
-## Adjusting the playbook configuration
-
-To enable the Zulip bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
-
-```yaml
-matrix_zulip_bridge_enabled: true
-
-# Uncomment to add one or more admins to this bridge:
-#
-# matrix_zulip_bridge_owner:
-#  - '@yourAdminAccount:{{ matrix_domain }}'
-#
-# … unless you've made yourself an admin of all bots/bridges like this:
-#
-# matrix_admin: '@yourAdminAccount:{{ matrix_domain }}'
-```
-
-### Adjusting the Zulip bridge URL (optional)
-
-By tweaking the `matrix_zulip_bridge_hostname` and `matrix_zulip_bridge_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
-
-Example additional configuration for your `vars.yml` file:
-
-```yaml
-# Change the default hostname and path prefix
-matrix_zulip_bridge_hostname: zulip.example.com
-matrix_zulip_bridge_path_prefix: /
-```
-
-If you've changed the default hostname, you may need to create a CNAME record for the Zulip bridge domain (`zulip.example.com`), which targets `matrix.example.com`.
-
-When setting, replace `example.com` with your own.
-
-### Extending the configuration
-
-There are some additional things you may wish to configure about the bridge.
-
-Take a look at:
-
-- `roles/custom/matrix-bridge-zulip/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
-
-## Installing
-
-After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
-
-<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
-```sh
-ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
-```
-
-The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
-
-`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
-
-## Usage
-
-To use the bridge, you need to start a chat with `@zulipbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain). If the bridge ignores you and a DM is not accepted then the owner setting may be wrong.
-
-If you encounter issues or feel lost you can join the project room at [#matrixzulipbridge:shema.lv](https://matrix.to/#/#matrixzulipbridge:shema.lv) for help.
-
-## Troubleshooting
-
-As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-bridge-zulip`.

docs/configuring-playbook-matrix-media-repo.md

@@ -24,8 +24,21 @@ To enable matrix-media-repo, add the following configuration to your `inventory/
 
 ```yaml
 matrix_media_repo_enabled: true
+
+# Any unique alphanumeric string. Cannot be changed after first use.
+# For new installations, generate one with: pwgen -s 64 1
+# For existing installations, see below.
+matrix_media_repo_datastore_file_id: "CHANGE_ME_TO_A_UNIQUE_VALUE"
 ```
 
+**For existing installations**: retrieve the current datastore ID from the server's config file before proceeding:
+
+```sh
+grep 'id:' /matrix/media-repo/config/media-repo.yaml
+```
+
+Then use that value for `matrix_media_repo_datastore_file_id`. This is not a secret — it is a plain identifier used by matrix-media-repo to link media files to their storage backend.
+
 By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
 
 ### Enable metrics
@@ -109,6 +122,11 @@ matrix_media_repo_admins: []
 matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "local_media", "archives"]
 matrix_media_repo_datastore_s3_for_kinds: []
 
+# Required when S3 storage is enabled (matrix_media_repo_datastore_s3_for_kinds is non-empty).
+# Any unique alphanumeric string. Cannot be changed after first use.
+# For new installations, generate one with: pwgen -s 64 1
+# matrix_media_repo_datastore_s3_id: ""
+
 # The s3 uploader needs a temporary location to buffer files to reduce memory usage on
 # small file uploads. If the file size is unknown, the file is written to this location
 # before being uploaded to s3 (then the file is deleted). If you aren't concerned about

docs/configuring-playbook-ssl-certificates.md

@@ -17,7 +17,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
 - This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
 - Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
 
-  The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
+  The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
 
 ## Use staging Let's Encrypt certificates
 

docs/configuring-playbook-turn.md

@@ -1,9 +1,12 @@
 <!--
-SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
+SPDX-FileCopyrightText: 2018-2024 Slavi Pantaleev
+SPDX-FileCopyrightText: 2020 Aaron Raimist
 SPDX-FileCopyrightText: 2020 Christian Wolf
-SPDX-FileCopyrightText: 2020 MDAD project contributors
 SPDX-FileCopyrightText: 2020 Marcel Partap
-SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
+SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
+SPDX-FileCopyrightText: 2022 Alejo Diaz
+SPDX-FileCopyrightText: 2022 Julian Foad
+SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
@@ -26,7 +29,10 @@ If you'd rather use a local IP for `ansible_host`, add the following configurati
 matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
 ```
 
-If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
+If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
+
+>[!NOTE]
+> You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
 
 If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:
 

docs/configuring-playbook.md

@@ -186,8 +186,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
 
 - [Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)
 
-- [Setting up Zulip bridging](configuring-playbook-bridge-zulip.md)
-
 ### Bots
 
 Bots provide various additional functionality to your installation.

docs/container-images.md

@@ -106,7 +106,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [matrix-hookshot](configuring-playbook-bridge-hookshot.md) | [halfshot/matrix-hookshot](https://hub.docker.com/r/halfshot/matrix-hookshot) | ❌ | Bridge for generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular |
 | [matrix-sms-bridge](configuring-playbook-bridge-matrix-bridge-sms.md) | [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) | ❌ | Bridge to SMS |
 | [matrix-wechat](configuring-playbook-bridge-wechat.md) | [lxduo/matrix-wechat](https://hub.docker.com/r/lxduo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) |
-| [MatrixZulipBridge](configuring-playbook-bridge-zulip.md) | [GearKite/MatrixZulipBridge](https://ghcr.io/gearkite/matrixzulipbridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) |
 | [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) | [hif1/heisenbridge](https://hub.docker.com/r/hif1/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) |
 | [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
 | [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |

docs/prerequisites.md

@@ -23,8 +23,6 @@ We will be using `example.com` as the domain in the following instruction. Pleas
 
 - [Ansible](http://ansible.com/) program. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
 
-- [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library. See [this official documentation](https://passlib.readthedocs.io/en/stable/install.html#installation-instructions) for an instruction to install it. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
-
 - [`git`](https://git-scm.com/) as the recommended way to download the playbook. `git` may also be required on the server if you will be [self-building](self-building.md) components.
 
 - [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually. Take a look at this documentation for more information: [Running `just` commands](just.md).

group_vars/matrix_servers

@@ -114,8 +114,6 @@ matrix_homeserver_container_extra_arguments_auto: |
     +
     (['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else [])
     +
-    (['--mount type=bind,src=' + matrix_zulip_bridge_base_path + '/registration.yaml,dst=/matrixzulipbridge-registration.yaml,ro'] if matrix_zulip_bridge_enabled else [])
-    +
     (['--mount type=bind,src=' + matrix_mautrix_bluesky_config_path + '/registration.yaml,dst=/matrix-mautrix-bluesky-registration.yaml,ro'] if matrix_mautrix_bluesky_enabled else [])
     +
     (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else [])
@@ -175,8 +173,6 @@ matrix_homeserver_app_service_config_files_auto: |
     +
     (['/hookshot-registration.yml'] if matrix_hookshot_enabled else [])
     +
-    (['/matrixzulipbridge-registration.yaml'] if matrix_zulip_bridge_enabled else [])
-    +
     (['/matrix-mautrix-bluesky-registration.yaml'] if matrix_mautrix_bluesky_enabled else [])
     +
     (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else [])
@@ -242,12 +238,14 @@ matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.ser
 #     (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`)
 # - core services (the homeserver) get a level of ~1000
 # - services that the homeserver depends on (database, Redis, ntfy, coturn, etc.) get a lower level — between 500 and 1000
-# - coturn gets a higher level if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
+# - coturn gets a higher priority level (= starts later) if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
 #  - starting services one by one means that the service manager role waits for each service to fully start before proceeding to the next one
 #  - if coturn has a lower priority than the homeserver, it would be started before it
 #  - since coturn is started before the homeserver, there's no container label telling Traefik to get a `matrix.example.com` certificate
 #  - thus, coturn would spin and wait for a certificate until it fails. We'd get a playbook failure due to it, but service manager will proceed to start all other services anyway.
 #  - only later, when the homeserver actually starts, would that certificate be fetched and dumped
+#  - this is not a problem with `all-at-once` (default) or `priority-batched` (services start concurrently),
+#    or with `clean-stop-start` (everything stops first, then starts in priority order — coturn at 900 is fine)
 # - reverse-proxying services get level 3000
 # - Matrix utility services (bridges, bots) get a level of 2000/2200, so that:
 #   - they can start before the reverse-proxy
@@ -302,8 +300,6 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-hookshot.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'hookshot', 'bridge-hookshot']}] if matrix_hookshot_enabled else [])
     +
-    ([{'name': 'matrix-zulip-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'zulip']}] if matrix_zulip_bridge_enabled else [])
-    +
     ([{'name': 'matrix-mautrix-bluesky.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-bluesky']}] if matrix_mautrix_bluesky_enabled else [])
     +
     ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-discord']}] if matrix_mautrix_discord_enabled else [])
@@ -358,7 +354,7 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
     +
-    ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
+    ([{'name': 'matrix-coturn.service', 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
     +
     ([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
     +
@@ -2074,55 +2070,6 @@ matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
 #
 ######################################################################
 
-######################################################################
-#
-# matrix-bridge-zulip
-#
-######################################################################
-
-# We don't enable bridges by default.
-matrix_zulip_bridge_enabled: false
-
-matrix_zulip_bridge_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
-
-# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one
-matrix_zulip_bridge_owner: "{{ matrix_admin if matrix_admin else '' }}"
-
-matrix_zulip_bridge_systemd_required_services_list_auto: |
-  {{
-    matrix_addons_homeserver_systemd_services_list
-  }}
-
-matrix_zulip_bridge_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_zulip_bridge_docker_image_registry_prefix_upstream_default }}"
-
-matrix_zulip_bridge_container_network: "{{ matrix_addons_container_network }}"
-
-matrix_zulip_bridge_container_additional_networks_auto: |-
-  {{
-    (
-      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
-      +
-      [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_zulip_bridge_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []
-    ) | unique
-  }}
-
-matrix_zulip_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
-matrix_zulip_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-matrix_zulip_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-matrix_zulip_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
-
-matrix_zulip_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':zulip.as.tok') | hash('sha512') | to_uuid }}"
-
-matrix_zulip_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':zulip.hs.tok') | hash('sha512') | to_uuid }}"
-
-matrix_zulip_bridge_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
-
-######################################################################
-#
-# /matrix-bridge-zulip
-#
-######################################################################
-
 ######################################################################
 #
 # matrix-bridge-mx-puppet-steam
@@ -3160,7 +3107,7 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64
 
 # We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
 # Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
-# to allow auto-detection (via an EchoIP service) to happen at runtime.
+# to allow auto-detection (via an echoip service) to happen at runtime.
 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
 
 matrix_coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
@@ -3354,6 +3301,9 @@ ddclient_identifier: matrix-dynamic-dns
 
 ddclient_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
 
+ddclient_uid: "{{ matrix_user_uid }}"
+ddclient_gid: "{{ matrix_user_gid }}"
+
 ddclient_container_image_registry_prefix: "{{ 'localhost/' if ddclient_container_image_self_build else ddclient_container_image_registry_prefix_upstream }}"
 ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_docker_image_registry_prefix_upstream_default }}"
 
@@ -4702,11 +4652,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
       '^@hbirc_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
     ] if matrix_heisenbridge_enabled else [])
     +
-    ([
-      '^@zulipbot:'+(matrix_domain | regex_escape)+'$',
-      '^@zulip_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
-    ] if matrix_zulip_bridge_enabled else [])
-    +
     ([
       '^@hookshot:'+(matrix_domain | regex_escape)+'$',
       '^@_github_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',

justfile

@@ -50,8 +50,7 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star
 install-service service *extra_args:
     {{ just_executable() }} --justfile "{{ justfile() }}" run \
     --tags=install-{{ service }},start-group \
-    --extra-vars=group={{ service }} \
-    --extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
+    --extra-vars=group={{ service }} {{ extra_args }}
 
 # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
 setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)

requirements.yml

@@ -38,7 +38,7 @@
   version: v1.9.11-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.16.0-1
+  version: v2.17.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -50,7 +50,7 @@
   version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.1-4
+  version: v18.1-5
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
   version: v18-0
@@ -68,7 +68,7 @@
   version: v1.4.1-0
   name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
-  version: v1.1.0-0
+  version: v2.0.0-0
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
   version: v1.1.0-1

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.10.0
+matrix_authentication_service_version: 1.11.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.14.0
+matrix_bot_baibot_version: v1.14.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-zulip/defaults/main.yml

@@ -1,122 +0,0 @@
-# SPDX-FileCopyrightText: 2021 - 2022 Toni Spets
-# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
-# SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
-# SPDX-FileCopyrightText: 2022 MDAD project contributors
-# SPDX-FileCopyrightText: 2022 Marko Weltzer
-# SPDX-FileCopyrightText: 2023 Samuel Meenzen
-# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
----
-# MatrixZulipBridge is a puppeting appservice bridge for Zulip
-# Project source code URL: https://github.com/GearKite/MatrixZulipBridge
-
-matrix_zulip_bridge_enabled: true
-
-matrix_zulip_bridge_scheme: https
-matrix_zulip_bridge_hostname: "{{ matrix_server_fqn_matrix }}"
-matrix_zulip_bridge_path_prefix: "/zulip"
-
-# renovate: datasource=docker depName=ghcr.io/gearkite/matrixzulipbridge
-matrix_zulip_bridge_version: v0.4.1
-matrix_zulip_bridge_docker_image: "{{ matrix_zulip_bridge_docker_image_registry_prefix }}gearkite/matrixzulipbridge:{{ matrix_zulip_bridge_version }}"
-matrix_zulip_bridge_docker_image_registry_prefix: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream }}"
-matrix_zulip_bridge_docker_image_registry_prefix_upstream: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream_default }}"
-matrix_zulip_bridge_docker_image_registry_prefix_upstream_default: ghcr.io/
-matrix_zulip_bridge_docker_image_force_pull: "{{ matrix_zulip_bridge_docker_image.endswith(':latest') }}"
-
-matrix_zulip_bridge_base_path: "{{ matrix_base_data_path }}/zulip"
-
-matrix_zulip_bridge_container_network: ""
-
-# The port number in the container
-matrix_zulip_bridge_container_http_port: 9898
-
-matrix_zulip_bridge_container_additional_networks: "{{ matrix_zulip_bridge_container_additional_networks_auto + matrix_zulip_bridge_container_additional_networks_custom }}"
-matrix_zulip_bridge_container_additional_networks_auto: []
-matrix_zulip_bridge_container_additional_networks_custom: []
-
-# Controls how long to wait for the container to stop gracefully before killing it.
-# We use a small value here, because this container does not seem to handle the SIGTERM signal.
-matrix_zulip_bridge_container_stop_grace_time_seconds: 1
-
-# matrix_zulip_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
-# See `../templates/labels.j2` for details.
-#
-# To inject your own other container labels, see `matrix_zulip_bridge_container_labels_additional_labels`.
-matrix_zulip_bridge_container_labels_traefik_enabled: true
-matrix_zulip_bridge_container_labels_traefik_docker_network: "{{ matrix_zulip_bridge_container_network }}"
-matrix_zulip_bridge_container_labels_traefik_hostname: "{{ matrix_zulip_bridge_hostname }}"
-matrix_zulip_bridge_container_labels_traefik_path_prefix: "{{ matrix_zulip_bridge_path_prefix }}"
-matrix_zulip_bridge_container_labels_traefik_entrypoints: web-secure
-matrix_zulip_bridge_container_labels_traefik_tls_certResolver: default  # noqa var-naming
-
-# Controls if the media router is enabled
-matrix_zulip_bridge_container_labels_traefik_media_enabled: true
-matrix_zulip_bridge_container_labels_traefik_media_hostname: "{{ matrix_zulip_bridge_container_labels_traefik_hostname }}"
-# The path prefix must either be `/` or not end with a slash (e.g. `/zulip`).
-matrix_zulip_bridge_container_labels_traefik_media_path_prefix: "{{ '' if matrix_zulip_bridge_container_labels_traefik_path_prefix == '/' else (matrix_zulip_bridge_container_labels_traefik_path_prefix) }}/_bridge_zulip/media"
-matrix_zulip_bridge_container_labels_traefik_media_rule: "Host(`{{ matrix_zulip_bridge_container_labels_traefik_media_hostname }}`){% if matrix_zulip_bridge_container_labels_traefik_media_path_prefix != '/' %} && PathPrefix(`{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}`){% endif %}"
-matrix_zulip_bridge_container_labels_traefik_media_priority: 0
-matrix_zulip_bridge_container_labels_traefik_media_entrypoints: "{{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}"
-matrix_zulip_bridge_container_labels_traefik_media_tls: "{{ matrix_zulip_bridge_container_labels_traefik_media_entrypoints != 'web' }}"
-matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver: "{{ matrix_zulip_bridge_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
-
-# matrix_zulip_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
-# See `../templates/labels.j2` for details.
-#
-# Example:
-# matrix_zulip_bridge_container_labels_additional_labels: |
-#   my.label=1
-#   another.label="here"
-matrix_zulip_bridge_container_labels_additional_labels: ''
-
-# A list of extra arguments to pass to the container
-matrix_zulip_bridge_container_extra_arguments: []
-
-# List of systemd services that service depends on.
-matrix_zulip_bridge_systemd_required_services_list: "{{ matrix_zulip_bridge_systemd_required_services_list_default + matrix_zulip_bridge_systemd_required_services_list_auto + matrix_zulip_bridge_systemd_required_services_list_custom }}"
-matrix_zulip_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
-matrix_zulip_bridge_systemd_required_services_list_auto: []
-matrix_zulip_bridge_systemd_required_services_list_custom: []
-
-# List of systemd services that service wants
-matrix_zulip_bridge_systemd_wanted_services_list: []
-
-matrix_zulip_bridge_homeserver_url: ""
-
-matrix_zulip_bridge_appservice_token: ''
-matrix_zulip_bridge_homeserver_token: ''
-
-matrix_zulip_bridge_config_media_url: "{{ matrix_zulip_bridge_scheme }}://{{ matrix_zulip_bridge_hostname }}"
-# This matches the hardcoded `DEFAULT_MEDIA_PATH` in MatrixZulipBridge, but uses `matrix_zulip_bridge_path_prefix` as the path prefix.
-# See: https://github.com/GearKite/MatrixZulipBridge/blob/2ba51f3da2ad8bd33460c953ef91a9cfc585a2d4/matrixzulipbridge/__main__.py#L87
-matrix_zulip_bridge_config_media_path: "{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}/v3/download/{netloc}{path}{filename}"
-matrix_zulip_bridge_config_media_key: "{{ matrix_zulip_bridge_homeserver_token }}"
-matrix_zulip_bridge_config_displayname: "Zulip bridge bot"
-
-matrix_zulip_bridge_registration_yaml_bridge_zulip:
-  media_url: "{{ matrix_zulip_bridge_config_media_url }}"
-  media_path: "{{ matrix_zulip_bridge_config_media_path }}"
-  media_key: "{{ matrix_zulip_bridge_config_media_key }}"
-  displayname: "{{ matrix_zulip_bridge_config_displayname }}"
-
-# Default registration file consumed by both the homeserver and MatrixZulipBridge.
-# Besides registration information, it contains configuration (see the Zulip bridge key).
-matrix_zulip_bridge_registration_yaml:
-  id: zulip
-  url: http://matrix-zulip-bridge:{{ matrix_zulip_bridge_container_http_port }}
-  as_token: "{{ matrix_zulip_bridge_appservice_token }}"
-  hs_token: "{{ matrix_zulip_bridge_homeserver_token }}"
-  rate_limited: false
-  sender_localpart: zulipbot
-  namespaces:
-    users:
-      - regex: '@zulip_.*'
-        exclusive: true
-    aliases: []
-    rooms: []
-  zulipbridge: "{{ matrix_zulip_bridge_registration_yaml_bridge_zulip }}"
-
-matrix_zulip_bridge_registration: "{{ matrix_zulip_bridge_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-zulip/tasks/main.yml

@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2021 Toni Spets
-# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
-# SPDX-FileCopyrightText: 2022 Marko Weltzer
-# SPDX-FileCopyrightText: 2025 Suguru Hirahara
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
----
-- name: Perform the Zulip bridge installation tasks
-  when: matrix_zulip_bridge_enabled | bool
-  tags:
-    - setup-all
-    - setup-bridge-zulip
-    - install-all
-    - install-bridge-zulip
-  block:
-    - name: Validate the Zulip bridge configuration
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
-    - name: Install the Zulip bridge
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-
-- name: Perform the Zulip bridge uninstallation tasks
-  when: not matrix_zulip_bridge_enabled | bool
-  tags:
-    - setup-all
-    - setup-bridge-zulip
-  block:
-    - name: Uninstall the Zulip bridge
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

roles/custom/matrix-bridge-zulip/tasks/setup_install.yml

@@ -1,62 +0,0 @@
-# SPDX-FileCopyrightText: 2021 Toni Spets
-# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
-# SPDX-FileCopyrightText: 2022 Jim Myhrberg
-# SPDX-FileCopyrightText: 2022 Marko Weltzer
-# SPDX-FileCopyrightText: 2022 Nikita Chernyi
-# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
-# SPDX-FileCopyrightText: 2024 David Mehren
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
----
-- name: Ensure the Zulip bridge image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_zulip_bridge_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_zulip_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_zulip_bridge_docker_image_force_pull }}"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
-- name: Ensure the Zulip bridge paths exist
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0750"
-    owner: "{{ matrix_user_name }}"
-    group: "{{ matrix_group_name }}"
-  with_items:
-    - "{{ matrix_zulip_bridge_base_path }}"
-
-- name: Ensure the Zulip bridge registration.yaml installed if provided
-  ansible.builtin.copy:
-    content: "{{ matrix_zulip_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
-    dest: "{{ matrix_zulip_bridge_base_path }}/registration.yaml"
-    mode: "0644"
-    owner: "{{ matrix_user_name }}"
-    group: "{{ matrix_group_name }}"
-
-- name: Ensure the Zulip bridge support files installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/{{ item }}.j2"
-    dest: "{{ matrix_zulip_bridge_base_path }}/{{ item }}"
-    mode: "0640"
-    owner: "{{ matrix_user_name }}"
-    group: "{{ matrix_group_name }}"
-  with_items:
-    - labels
-
-- name: Ensure the Zulip bridge container network is created
-  community.general.docker_network:
-    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
-    name: "{{ matrix_zulip_bridge_container_network }}"
-    driver: bridge
-    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
-
-- name: Ensure matrix-zulip-bridge.service installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/systemd/matrix-zulip-bridge.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
-    mode: "0644"

roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml

@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
-# SPDX-FileCopyrightText: 2021 Michael Sasser
-# SPDX-FileCopyrightText: 2021 Toni Spets
-# SPDX-FileCopyrightText: 2022 Marko Weltzer
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
----
-- name: Check existence of matrix-bridge-zulip service
-  ansible.builtin.stat:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
-  register: matrix_zulip_bridge_service_stat
-
-- when: matrix_zulip_bridge_service_stat.stat.exists | bool
-  block:
-    - name: Ensure matrix-bridge-zulip is stopped
-      ansible.builtin.service:
-        name: matrix-zulip-bridge
-        state: stopped
-        enabled: false
-        daemon_reload: true
-
-    - name: Ensure matrix-zulip-bridge.service doesn't exist
-      ansible.builtin.file:
-        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
-        state: absent

roles/custom/matrix-bridge-zulip/tasks/validate_config.yml

@@ -1,14 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Slavi Pantaleev
-# SPDX-FileCopyrightText: 2024 Suguru Hirahara
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
----
-- name: Fail if required the Zulip bridge settings not defined
-  ansible.builtin.fail:
-    msg: >-
-      You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
-  with_items:
-    - {"name": "matrix_zulip_bridge_container_network", when: true}
-    - {"name": "matrix_zulip_bridge_homeserver_url", when: true}

roles/custom/matrix-bridge-zulip/templates/labels.j2

@@ -1,58 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2024 Slavi Pantaleev
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-{% if matrix_zulip_bridge_container_labels_traefik_enabled %}
-traefik.enable=true
-
-{% if matrix_zulip_bridge_container_labels_traefik_docker_network %}
-traefik.docker.network={{ matrix_zulip_bridge_container_labels_traefik_docker_network }}
-{% endif %}
-
-traefik.http.services.matrix-zulip-bridge.loadbalancer.server.port={{ matrix_zulip_bridge_container_http_port }}
-
-{% set middlewares = [] %}
-
-{% if matrix_zulip_bridge_container_labels_traefik_path_prefix != '/' %}
-traefik.http.middlewares.matrix-bridge-zulip-strip-prefix.stripprefix.prefixes={{ matrix_zulip_bridge_container_labels_traefik_path_prefix }}
-{% set middlewares = middlewares + ['matrix-bridge-zulip-strip-prefix'] %}
-{% endif %}
-
-{% if matrix_zulip_bridge_container_labels_traefik_media_enabled %}
-##########################################################################
-#                                                                        #
-# Media                                                                  #
-#                                                                        #
-##########################################################################
-
-traefik.http.routers.matrix-bridge-zulip-media.rule={{ matrix_zulip_bridge_container_labels_traefik_media_rule }}
-
-{% if matrix_zulip_bridge_container_labels_traefik_media_priority | int > 0 %}
-traefik.http.routers.matrix-bridge-zulip-media.priority={{ matrix_zulip_bridge_container_labels_traefik_media_priority }}
-{% endif %}
-
-{% if middlewares | length > 0 %}
-traefik.http.routers.matrix-bridge-zulip-media.middlewares={{ middlewares | join(',') }}
-{% endif %}
-
-traefik.http.routers.matrix-bridge-zulip-media.service=matrix-bridge-zulip
-traefik.http.routers.matrix-bridge-zulip-media.entrypoints={{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}
-
-traefik.http.routers.matrix-bridge-zulip-media.tls={{ matrix_zulip_bridge_container_labels_traefik_media_tls | to_json }}
-{% if matrix_zulip_bridge_container_labels_traefik_media_entrypoints %}
-traefik.http.routers.matrix-bridge-zulip-media.tls.certResolver={{ matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver }}
-{% endif %}
-
-##########################################################################
-#                                                                        #
-# /Media                                                                 #
-#                                                                        #
-##########################################################################
-{% endif %}
-
-
-{% endif %}
-
-{{ matrix_zulip_bridge_container_labels_additional_labels }}

roles/custom/matrix-bridge-zulip/templates/systemd/matrix-zulip-bridge.service.j2

@@ -1,60 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2021 Toni Spets
-SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
-SPDX-FileCopyrightText: 2025 Suguru Hirahara
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-[Unit]
-Description=a puppeting appservice bridge for Zulip
-{% for service in matrix_zulip_bridge_systemd_required_services_list %}
-Requires={{ service }}
-After={{ service }}
-{% endfor %}
-{% for service in matrix_zulip_bridge_systemd_wanted_services_list %}
-Wants={{ service }}
-{% endfor %}
-DefaultDependencies=no
-
-[Service]
-Type=simple
-Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
-
-ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
-			--rm \
-			--name=matrix-bridge-zulip \
-			--log-driver=none \
-			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			--cap-drop=ALL \
-			--network={{ matrix_zulip_bridge_container_network }} \
-			--mount type=bind,src={{ matrix_zulip_bridge_base_path }},dst=/config \
-			--label-file={{ matrix_zulip_bridge_base_path }}/labels \
-			{% for arg in matrix_zulip_bridge_container_extra_arguments %}
-			{{ arg }} \
-			{% endfor %}
-			{{ matrix_zulip_bridge_docker_image }} \
-			{% if matrix_zulip_bridge_owner %}
-			-o {{ matrix_zulip_bridge_owner }} \
-			{% endif %}
-			--config /config/registration.yaml \
-			--listen-address 0.0.0.0 \
-			--listen-port {{ matrix_zulip_bridge_container_http_port }} \
-			{{ matrix_zulip_bridge_homeserver_url }}
-
-{% for network in matrix_zulip_bridge_container_additional_networks %}
-ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bridge-zulip
-{% endfor %}
-
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bridge-zulip
-
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
-Restart=always
-RestartSec=30
-SyslogIdentifier=matrix-bridge-zulip
-
-[Install]
-WantedBy=multi-user.target

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.9
+matrix_client_element_version: v1.12.10
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-media-repo/defaults/main.yml

@@ -414,8 +414,9 @@ matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere"
 # thumbnails and other misc data is also stored in these places. The media repo, when looking
 # for a datastore to use, will always use the smallest datastore first.
 
-# ID for the file datastore (cannot change). Alphanumeric recommended.
-matrix_media_repo_datastore_file_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'filestore.db', rounds=655555) | to_uuid }}"
+# ID for the file datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
+# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
+matrix_media_repo_datastore_file_id: ""
 
 # Datastores can be split into many areas when handling uploads. Media is still de-duplicated
 # across all datastores (local content which duplicates remote content will re-use the remote
@@ -434,8 +435,9 @@ matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "loca
 # Path to datastore, relative to matrix-media-repo directory root
 matrix_media_repo_datastore_opts_path: "/data/media"
 
-# ID for the s3 datastore (cannot change). Alphanumeric recommended.
-matrix_media_repo_datastore_s3_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 's3store.db', rounds=655555) | to_uuid }}"
+# ID for the S3 datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
+# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
+matrix_media_repo_datastore_s3_id: ""
 
 # Datastores can be split into many areas when handling uploads. Media is still de-duplicated
 # across all datastores (local content which duplicates remote content will re-use the remote

roles/custom/matrix-media-repo/tasks/validate_config.yml

@@ -15,6 +15,8 @@
     - {'name': 'matrix_media_repo_database_hostname', when: true}
     - {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
     - {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
+    - {'name': 'matrix_media_repo_datastore_file_id', when: "{{ (matrix_media_repo_datastore_file_for_kinds | length) > 0 }}"}
+    - {'name': 'matrix_media_repo_datastore_s3_id', when: "{{ (matrix_media_repo_datastore_s3_for_kinds | length) > 0 }}"}
 
 - name: (Deprecation) Catch and report renamed matrix-media-repo settings
   ansible.builtin.fail:

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.146.0
+matrix_synapse_version: v1.147.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''

roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2

@@ -15,6 +15,36 @@ user=$1
 password=$2
 admin=$3
 
+wait_for_synapse() {
+	local timeout_seconds=180
+	local interval_seconds=5
+	local elapsed=0
+	local last_reason=""
+
+	while [ "$elapsed" -lt "$timeout_seconds" ]; do
+		if ! {{ devture_systemd_docker_base_host_command_docker }} ps -a --format '{{"{{"}}.Names{{"}}"}}' | grep -q '^matrix-synapse$'; then
+			last_reason="container not found"
+		elif [ "$({{ devture_systemd_docker_base_host_command_docker }} inspect -f '{{"{{"}}.State.Running{{"}}"}}' matrix-synapse 2>/dev/null)" != "true" ]; then
+			last_reason="container not running"
+		elif ! {{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse \
+			curl -fsS "http://localhost:{{ matrix_synapse_container_client_api_port }}/health" >/dev/null 2>&1; then
+			last_reason="health endpoint not ready"
+		else
+			return 0
+		fi
+
+		sleep "$interval_seconds"
+		elapsed=$((elapsed + interval_seconds))
+	done
+
+	echo "Timed out waiting for matrix-synapse to become healthy after ${timeout_seconds}s (${last_reason})."
+	return 1
+}
+
+if ! wait_for_synapse; then
+	exit 1
+fi
+
 if [ "$admin" -eq "1" ]; then
 	{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:{{ matrix_synapse_container_client_api_port }}
 else

roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml

@@ -4,9 +4,9 @@
 
 ---
 
-- name: Ensure Synapse user registered - {{ user.username | quote }}
-  ansible.builtin.command:
-    cmd: |-
+- name: Build Synapse user registration command - {{ user.username | quote }}
+  ansible.builtin.set_fact:
+    matrix_synapse_register_user_command: |-
       {{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse
       register_new_matrix_user
       -u  {{ user.username | quote }}
@@ -21,6 +21,34 @@
         {% endif %}
       {% endif %}
       http://localhost:{{ matrix_synapse_container_client_api_port }}
+
+- name: Ensure Synapse user registered - {{ user.username | quote }}
+  ansible.builtin.command:
+    cmd: "{{ matrix_synapse_register_user_command }}"
   register: matrix_synapse_register_user_result
   changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
-  failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+  failed_when: >-
+    matrix_synapse_register_user_result.rc != 0
+    and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+    and 'HMAC incorrect' not in matrix_synapse_register_user_result.stdout
+    and 'Connection refused' not in matrix_synapse_register_user_result.stderr | default('')
+
+- when: >-
+    'HMAC incorrect' in matrix_synapse_register_user_result.stdout | default('')
+    or 'Connection refused' in matrix_synapse_register_user_result.stderr | default('')
+  block:
+    - name: Restart Synapse due to registration failure (likely a registration_shared_secret or DB credentials change)
+      ansible.builtin.service:
+        name: "matrix-synapse.service"
+        state: restarted
+
+    - name: Wait for Synapse to start after restart
+      ansible.builtin.pause:
+        seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
+
+    - name: Retry Synapse user registration - {{ user.username | quote }}
+      ansible.builtin.command:
+        cmd: "{{ matrix_synapse_register_user_command }}"
+      register: matrix_synapse_register_user_result
+      changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+      failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout

setup.yml

@@ -79,7 +79,6 @@
     - custom/matrix-bridge-steam
     - custom/matrix-bridge-heisenbridge
     - custom/matrix-bridge-hookshot
-    - custom/matrix-bridge-zulip
     - custom/matrix-bot-matrix-reminder-bot
     - custom/matrix-bot-matrix-registration-bot
     - custom/matrix-bot-maubot