Configure encodedCharacters for the web Traefik entrypoint (if matrix_playbook_ssl_enabled is false) to fix Traefik 3.6.3+ regression in those cases

Continuation of e7cb9eee79

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798

.github/workflows/lock-threads.yml

@@ -23,7 +23,7 @@ jobs:
     if: github.repository == 'spantaleev/matrix-docker-ansible-deploy'
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v6
         with:
           add-issue-labels: 'outdated'
           process-only: 'issues, prs'

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.12.0
+        uses: ansible/ansible-lint@v25.12.1
         with:
           args: "roles/custom"
           setup_python: "true"

group_vars/matrix_servers

@@ -5836,6 +5836,20 @@ traefik_gid: "{{ matrix_user_gid }}"
 # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint.
 traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s
 
+# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
+# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs).
+# Ref:
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
+# - https://doc.traefik.io/traefik/migrate/v3/#v364
+traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true
+traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true
+traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true
+# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook
+# and actually go through this entrypoint.
+traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}"
+traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}"
+traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}"
+
 traefik_additional_entrypoints_auto: |
   {{
     ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else [])

i18n/requirements.txt

@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.6.1
+urllib3==2.6.2

requirements.yml

@@ -28,7 +28,7 @@
   version: v10655-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.7-0
+  version: v1.9.8-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.15.0-0
@@ -67,11 +67,11 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.4-0
+  version: v3.6.4-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-3
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9-0
+  version: v9.0.1-0
   name: valkey

roles/custom/matrix-base/defaults/main.yml

@@ -321,6 +321,13 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
+# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
+# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
+# Ref:
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
+# - https://doc.traefik.io/traefik/migrate/v3/#v364
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"  # noqa var-naming
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}"  # noqa var-naming
@@ -330,6 +337,19 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default:
   {{
     {}
 
+    | combine(
+      (
+        {
+          'http': {
+            'encodedCharacters': {
+              'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
+              'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
+            }
+          }
+        }
+      )
+    )
+
     | combine(
       (
         (
@@ -391,7 +411,31 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matri
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
+# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
+# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
+# Ref:
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
+# - https://doc.traefik.io/traefik/migrate/v3/#v364
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: |
+  {{
+    {}
+
+    | combine(
+      (
+        {
+          'http': {
+            'encodedCharacters': {
+              'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
+              'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
+            }
+          }
+        }
+      )
+    )
+  }}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}
 

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.10.0
+matrix_bot_baibot_version: v1.11.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -70,6 +70,23 @@ matrix_bot_baibot_config_user_password: ''
 # Also see: `matrix_bot_baibot_config_user_mxid_localpart`
 matrix_bot_baibot_config_user_name: baibot
 
+# Controls the `user.avatar` configuration setting.
+#
+# An optional path to an image file to be used as a custom avatar image.
+# This path should be an in-container path (e.g., `/data/avatar.png`).
+# Any type of content type is supported, but stick to common image formats (PNG, JPG, ..) for better compatibility with various Matrix clients.
+#
+# To use a custom avatar:
+# - Use the auxiliary role (`aux_` variables) to upload your avatar file to the server (e.g. to {{ matrix_bot_baibot_data_path }}/avatar.png on the host),
+#   or do it any other way (without Ansible) you prefer
+# - Set this variable to something like `/data/avatar.png` (the in-container path)
+#
+# Possible values:
+# - null or empty string: use the default baibot avatar
+# - "keep": don't touch the avatar, keep whatever is already set (useful if you manage the avatar via other means)
+# - any other value: path to a custom avatar image file (must be an in-container path like `/data/avatar.png`)
+matrix_bot_baibot_config_user_avatar: null
+
 # Controls the `user.encryption.recovery_passphrase` configuration setting.
 #
 # An optional passphrase to use for backing up and recovering the bot's encryption keys.
@@ -368,7 +385,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.1
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"

roles/custom/matrix-bot-baibot/templates/config.yaml.j2

@@ -21,6 +21,12 @@ user:
   # Leave empty to use the default (baibot).
   name: {{ matrix_bot_baibot_config_user_name | to_json }}
 
+  # An optional path to an image file to be used as a custom avatar image.
+  # - null or empty string: use the default avatar
+  # - "keep": don't touch the avatar, keep whatever is already set
+  # - any other value: path to a custom avatar image file
+  avatar: {{ matrix_bot_baibot_config_user_avatar | to_json }}
+
   encryption:
     # An optional passphrase to use for backing up and recovering the bot's encryption keys.
     # You can use any string here.

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.2.0
+matrix_client_fluffychat_version: v2.3.0
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-element-admin/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.9
+matrix_element_admin_version: 0.1.10
 
 matrix_element_admin_scheme: https