Upgrade baibot (v1.7.6 -> v1.8.0)

Related to 3daf14d695

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4549

Other homeserver implementations (not just Synapse) may also support MSC2246
(https://github.com/matrix-org/matrix-spec-proposals/pull/2246)
and may also be eligible. For now, it's only enabled for Synapse.

.github/workflows/close-stale-issues.yml

@@ -19,7 +19,7 @@ jobs:
     if: github.repository == 'spantaleev/matrix-docker-ansible-deploy'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           ######################################################################
           # Issues/PRs

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.8.1
+        uses: ansible/ansible-lint@v25.8.2
         with:
           args: "roles/custom"
           setup_python: "true"

.pre-commit-config.yaml

@@ -21,6 +21,6 @@ repos:
       - id: codespell
         args: ["--skip=*.po,*.pot,i18n/"]
   - repo: https://github.com/fsfe/reuse-tool  # https://reuse.software/dev/#pre-commit-hook
-    rev: v5.0.2
+    rev: v5.1.1
     hooks:
       - id: reuse

docs/ansible.md

@@ -20,10 +20,13 @@ To manually check which version of Ansible you're on, run: `ansible --version`.
 
 For the **best experience**, we recommend getting the **latest version of Ansible available**.
 
-We're not sure what's the minimum version of Ansible that can run this playbook successfully. The lowest version that we've confirmed (on 2022-11-26) to be working fine is: `ansible-core` (`2.11.7`) combined with `ansible` (`4.10.0`).
+We're not sure what's the minimum version of Ansible that can run this playbook successfully. The lowest version that we suspect (on 2025-09-03) to be working fine is: `ansible-core` (`2.15.1`).
 
 If your distro ships with an Ansible version older than this, you may run into issues. Consider [Upgrading Ansible](#upgrading-ansible) or [using Ansible via Docker](#using-ansible-via-docker).
 
+> [!WARNING]
+> One reason for the version requirement being as such is that the playbook by default installs Docker for you using [this Docker role](https://github.com/geerlingguy/ansible-role-docker) which [has a hard requirement on Ansible v2.15.1](https://github.com/geerlingguy/ansible-role-docker/commit/7f44a1d9ad8132819ea9852918bca5dab8757cd0). If you install Docker yourself another way, you can tell the playbook to skip running this role (by adding `matrix_playbook_docker_installation_enabled: false` to your `vars.yml` configuration). It may then be possible to get the playbook running on an older version of Ansible. Still, this is a complication and your mileage may vary. We recommend [upgrading Ansible](#upgrading-ansible) instead of going into uncharted territory.
+
 ## Upgrading Ansible
 
 Depending on your distribution, you may be able to upgrade Ansible in a few different ways:

docs/configuring-playbook-bot-draupnir.md

@@ -242,9 +242,12 @@ For Draupnir to do its job, you need to [give it permissions](https://the-draupn
 
 We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
 
-Policy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
+Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:
 
-You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
+- `#community-moderation-effort-bl:neko.dev`
+- `#huginn-muninn-active-threats:feline.support`
+
+You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)
 
 #### Creating your own policy lists and rules
 
@@ -270,14 +273,14 @@ You can undo bans with the [unban command](https://the-draupnir-project.github.i
 
 ### Enabling built-in protections
 
-You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuit` ("If X amount of users join in Y time, set the room to invite-only").
+You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` ("If X amount of users join in Y time, set the room to invite-only").
 
 To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room.
 
-To **see the configuration options for a given protection**, send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuit`).
+To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`).
 
-To **set a specific option for a given protection**, send a command like this: `!draupnir config set PROTECTION_NAME.OPTION VALUE` (e.g. `!draupnir config set JoinWaveShortCircuit.timescaleMinutes 30`).
+To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`).
 
-To **enable a given protection**, send a command like this: `!draupnir enable PROTECTION_NAME` (e.g. `!draupnir enable JoinWaveShortCircuit`).
+To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`).
 
-To **disable a given protection**, send a command like this: `!draupnir disable PROTECTION_NAME` (e.g. `!draupnir disable JoinWaveShortCircuit`).
+To **disable a given protection**, send a command like this: `!draupnir protections disable PROTECTION_NAME` (e.g. `!draupnir protections disable JoinWaveShortCircuitProtection`).

docs/configuring-playbook-bot-matrix-registration-bot.md

@@ -37,6 +37,10 @@ matrix_synapse_enable_registration: true
 
 # Restrict registration to users with a token
 matrix_synapse_registration_requires_token: true
+
+# Set an optional command prefix for the bot. This can be any arbitrary string, including whitespace.
+# Example: "!regbot "
+matrix_bot_matrix_registration_bot_bot_prefix: ""
 ```
 
 The bot account will be created automatically.

docs/configuring-playbook-bridge-hookshot.md

@@ -35,7 +35,7 @@ matrix_hookshot_enabled: true
 
 # Uncomment to enable end-to-bridge encryption.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
-# matrix_hookshot_experimental_encryption_enabled: true
+# matrix_hookshot_encryption_enabled: true
 
 # Uncomment and paste the contents of GitHub app private key to enable GitHub bridge.
 # Alternatively, you can use one of the other methods explained below on the "Manage GitHub Private Key with aux role" section.

docs/configuring-playbook-matrix-rtc.md

@@ -16,7 +16,6 @@ The Matrix RTC stack is a set of supporting components ([LiveKit Server](configu
 ## Prerequisites
 
 - A [Synapse](configuring-playbook-synapse.md) homeserver (see the warning below)
-- [Federation](configuring-playbook-federation.md) being enabled for your Matrix homeserver (federation is enabled by default, unless you've explicitly disabled it), because [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) currently [requires it](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562#issuecomment-2725250554) ([relevant source code](https://github.com/element-hq/lk-jwt-service/blob/f5f5374c4bdcc00a4fb13d27c0b28e20e4c62334/main.go#L135-L146))
 - Various experimental features for the Synapse homeserver which Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) (automatically done when Element Call is enabled)
 - A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
 - The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))

examples/reverse-proxies/apache/matrix-domain.conf

@@ -33,6 +33,12 @@
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+	ProxyTimeout 86400
+
+	RewriteEngine On
+	RewriteCond %{HTTP:Connection} Upgrade [NC]
+	RewriteCond %{HTTP:Upgrade} websocket [NC]
+	RewriteRule /(.*) ws://127.0.0.1:81/$1 [P,L]
 
 	AllowEncodedSlashes NoDecode
 	ProxyPass / http://127.0.0.1:81/ retry=0 nocanon

group_vars/matrix_servers

@@ -666,20 +666,10 @@ matrix_authentication_service_config_passwords_schemes:
   - version: 1
     secret: "{{ matrix_synapse_password_config_pepper }}"
     algorithm: bcrypt
+    unicode_normalization: true
   - version: 2
     algorithm: argon2id
 
-matrix_authentication_service_config_clients_auto: |-
-  {{
-    ([
-      {
-        'client_id': matrix_synapse_experimental_features_msc3861_client_id,
-        'client_auth_method': matrix_synapse_experimental_features_msc3861_client_auth_method,
-        'client_secret': matrix_synapse_experimental_features_msc3861_client_secret,
-      }
-    ] if matrix_synapse_experimental_features_msc3861_enabled else [])
-  }}
-
 matrix_authentication_service_config_email_transport: "{{ 'smtp' if exim_relay_enabled else 'blackhole' }}"
 matrix_authentication_service_config_email_hostname: "{{ exim_relay_identifier if exim_relay_enabled else '' }}"
 matrix_authentication_service_config_email_port: "{{ 8025 if exim_relay_enabled else 587 }}"
@@ -997,6 +987,8 @@ matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserve
 matrix_appservice_kakaotalk_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}"
 
+matrix_appservice_kakaotalk_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
@@ -1046,6 +1038,8 @@ matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_beeper_linkedin_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_beeper_linkedin_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_beeper_linkedin_bridge_login_shared_secret_map_auto: |-
   {{
     ({
@@ -1166,6 +1160,8 @@ matrix_mautrix_bluesky_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_bluesky_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_bluesky_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'bsky.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_bluesky_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_bluesky_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.bsky.prov', rounds=655555) | to_uuid }}"
 
 matrix_mautrix_bluesky_double_puppet_secrets_auto: |-
@@ -1235,6 +1231,8 @@ matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_discord_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_discord_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_discord_bridge_avatar_proxy_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.avatar', rounds=655555) | to_uuid }}"
 
 matrix_mautrix_discord_hostname: "{{ matrix_server_fqn_matrix }}"
@@ -1301,6 +1299,8 @@ matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_gener
 matrix_mautrix_slack_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_slack_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_slack_double_puppet_secrets_auto: |-
   {{
     {
@@ -1374,6 +1374,8 @@ matrix_mautrix_facebook_homeserver_address: "{{ matrix_addons_homeserver_client_
 
 matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_facebook_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_facebook_appservice_public_enabled: true
 matrix_mautrix_facebook_appservice_public_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_facebook_appservice_public_prefix: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}"
@@ -1594,6 +1596,8 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_signal_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_signal_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}"
 
 matrix_mautrix_signal_double_puppet_secrets_auto: |-
@@ -1672,6 +1676,8 @@ matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_c
 
 matrix_mautrix_meta_messenger_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.hs', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_meta_messenger_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_meta_messenger_double_puppet_secrets_auto: |-
   {{
     {
@@ -1748,6 +1754,8 @@ matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_c
 
 matrix_mautrix_meta_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.hs', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_meta_instagram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_meta_instagram_double_puppet_secrets_auto: |-
   {{
     {
@@ -1833,6 +1841,8 @@ matrix_mautrix_telegram_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_telegram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_telegram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: |-
   {{
     ({
@@ -1909,6 +1919,8 @@ matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_twitter_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_twitter_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_twitter_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twit.prov', rounds=655555) | to_uuid }}"
 
 matrix_mautrix_twitter_double_puppet_secrets_auto: |-
@@ -1981,6 +1993,8 @@ matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_g
 matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_gmessages_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_gmessages_double_puppet_secrets_auto: |-
   {{
     {
@@ -2099,6 +2113,8 @@ matrix_wechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secr
 matrix_wechat_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_wechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_wechat_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_wechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 matrix_wechat_bridge_listen_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.lstn', rounds=655555) | to_uuid }}"
@@ -2160,6 +2176,8 @@ matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_ge
 matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_whatsapp_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
 matrix_mautrix_whatsapp_double_puppet_secrets_auto: |-
   {{
     {
@@ -4882,7 +4900,7 @@ matrix_synapse_tls_federation_listener_enabled: false
 matrix_synapse_tls_certificate_path: ~
 matrix_synapse_tls_private_key_path: ~
 
-matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}"
+matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
 
 matrix_synapse_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -4911,7 +4929,7 @@ matrix_synapse_systemd_required_services_list_auto: |
     +
     (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
     +
-    (['matrix-authentication-service.service'] if (matrix_authentication_service_enabled and matrix_synapse_experimental_features_msc3861_enabled) else [])
+    (['matrix-authentication-service.service'] if (matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_matrix_authentication_service_endpoint == matrix_authentication_service_http_base_container_url) else [])
   }}
 
 matrix_synapse_systemd_wanted_services_list_auto: |
@@ -4945,11 +4963,9 @@ matrix_synapse_report_stats_endpoint: "{{ (('http://' + matrix_synapse_usage_exp
 
 matrix_synapse_experimental_features_msc3266_enabled: "{{ matrix_rtc_enabled }}"
 
-matrix_synapse_experimental_features_msc3861_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
-matrix_synapse_experimental_features_msc3861_issuer: "{{ matrix_authentication_service_http_base_container_url if matrix_authentication_service_enabled else '' }}"
-matrix_synapse_experimental_features_msc3861_client_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'syn.ngauth.cs', rounds=655555) | to_uuid }}"
-matrix_synapse_experimental_features_msc3861_admin_token: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
-matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_authentication_service_account_management_url if matrix_authentication_service_enabled else '' }}"
+matrix_synapse_matrix_authentication_service_enabled: "{{ matrix_authentication_service_enabled }}"
+matrix_synapse_matrix_authentication_service_endpoint: "{{ matrix_authentication_service_http_base_container_url if matrix_authentication_service_enabled else '' }}"
+matrix_synapse_matrix_authentication_service_secret: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 
 matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
 
@@ -4961,7 +4977,7 @@ matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
 # Unless this is done, Synapse fails on startup with:
 # > Error in configuration at 'password_config.enabled':
 # > Password auth cannot be enabled when OAuth delegation is enabled
-matrix_synapse_password_config_enabled: "{{ not matrix_synapse_experimental_features_msc3861_enabled }}"
+matrix_synapse_password_config_enabled: "{{ not matrix_synapse_matrix_authentication_service_enabled }}"
 
 matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matrix_authentication_service_bin_path }}/register-user"
 
@@ -5108,6 +5124,8 @@ matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playboo
 matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
+matrix_synapse_admin_config_externalAuthProvider: "{{ matrix_authentication_service_enabled | default(false) or matrix_synapse_ext_password_provider_ldap_enabled | default(false) }}"
+
 matrix_synapse_admin_config_asManagedUsers_auto: |
   {{
     ([
@@ -5243,7 +5261,7 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
     +
     ([
       '^@'+(matrix_mautrix_telegram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
-      '^@telegram_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
+      '^@'+(matrix_mautrix_telegram_username_template | regex_escape | replace('{userid}', '.+'))+':'+(matrix_domain | regex_escape)+'$',
     ] if matrix_mautrix_telegram_enabled else [])
     +
     ([

i18n/requirements.txt

@@ -16,7 +16,7 @@ myst-parser==4.0.1
 packaging==25.0
 Pygments==2.19.2
 PyYAML==6.0.2
-requests==2.32.4
+requests==2.32.5
 setuptools==80.9.0
 snowballstemmer==3.0.1
 Sphinx==8.2.3

requirements.yml

@@ -4,34 +4,34 @@
   version: v1.0.0-5
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.1-1.9.14-1
+  version: v1.4.1-1.9.14-2
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.3.0-7
+  version: v0.4.1-0
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.4.7
+  version: 7.5.3
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
   version: 129c8590e106b83e6f4c259649a613c6279e937a
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.4.2-0
+  version: v2.5.0-2
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-1
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.4-1
+  version: v11.6.5-1
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10431-1
+  version: v10431-2
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.0-5
+  version: v1.9.1-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.14.0-0
+  version: v2.14.0-1
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 7663e3114513e56f28d3ed762059b445c678a71a
@@ -43,10 +43,10 @@
   version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v17.5-5
+  version: v17.6-1
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v17-7
+  version: v17-8
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
   version: v3.5.0-1
@@ -64,10 +64,10 @@
   version: v1.0.0-4
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: v1.0.0-0
+  version: v1.1.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.5.0-2
+  version: v3.5.1-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-2

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.8.6
+matrix_alertmanager_receiver_version: 2025.9.3
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.6.0"
+matrix_appservice_draupnir_for_all_version: "v2.6.1"
 
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.0.0
+matrix_authentication_service_version: 1.1.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-base/defaults/main.yml

@@ -161,7 +161,7 @@ matrix_federation_traefik_entrypoint_tls: true
 # Recognized values by us are 'amd64', 'arm32' and 'arm64'.
 # Not all architectures support all services, so your experience (on non-amd64) may vary.
 # See docs/alternative-architectures.md
-matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
+matrix_architecture: "{{ 'amd64' if ansible_facts.architecture == 'x86_64' else ('arm64' if ansible_facts.architecture == 'aarch64' else ('arm32' if ansible_facts.architecture.startswith('armv') else '')) }}"
 
 # The architecture for Debian packages.
 # See: https://wiki.debian.org/SupportedArchitectures

roles/custom/matrix-base/tasks/ensure_fuse_installed.yml

@@ -6,11 +6,11 @@
 
 # This is for both RedHat 7 and 8
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_redhat.yml"
-  when: ansible_os_family == 'RedHat'
+  when: ansible_facts.os_family == 'RedHat'
 
 # This is for both Debian and Raspbian
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_debian.yml"
-  when: ansible_os_family == 'Debian'
+  when: ansible_facts.os_family == 'Debian'
 
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_archlinux.yml"
-  when: ansible_os_family == 'Archlinux'
+  when: ansible_facts.os_family == 'Archlinux'

roles/custom/matrix-base/tasks/validate_config.yml

@@ -64,7 +64,7 @@
 
 - name: Fail if matrix_architecture is set incorrectly
   ansible.builtin.fail:
-    msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}."
+    msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_facts.architecture }}."
   when: matrix_architecture not in ['amd64', 'arm32', 'arm64']
 
 - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.7.6
+matrix_bot_baibot_version: v1.8.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.6.0"
+matrix_bot_draupnir_version: "v2.6.1"
 
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

roles/custom/matrix-bot-honoroit/defaults/main.yml

@@ -30,7 +30,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.28
+matrix_bot_honoroit_version: v0.9.29
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_docker_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_docker_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml

@@ -43,6 +43,9 @@ matrix_bot_matrix_registration_bot_matrix_user_id: '@{{ matrix_bot_matrix_regist
 # The bot's password (can also be used to login via a client like Element Web)
 matrix_bot_matrix_registration_bot_bot_password: ''
 
+# Optional bot command prefix
+matrix_bot_matrix_registration_bot_bot_prefix: ""
+
 # Homeserver base URL
 matrix_bot_matrix_registration_bot_api_base_url: "{{ matrix_homeserver_url }}"
 

roles/custom/matrix-bot-matrix-registration-bot/templates/config.yaml.j2

@@ -10,6 +10,7 @@ bot:
   server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }}
   username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }}
   password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }}
+  prefix: {{ matrix_bot_matrix_registration_bot_bot_prefix|to_json }}
 
 api:
   # API endpoint of the registration tokens

roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml

@@ -57,6 +57,9 @@ matrix_appservice_kakaotalk_command_prefix: "!kt"
 
 matrix_appservice_kakaotalk_homeserver_address: ""
 matrix_appservice_kakaotalk_homeserver_domain: '{{ matrix_domain }}'
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_appservice_kakaotalk_homeserver_async_media: false
 matrix_appservice_kakaotalk_appservice_address: 'http://matrix-appservice-kakaotalk:11115'
 
 

roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2

@@ -21,7 +21,7 @@ homeserver:
     message_send_checkpoint_endpoint: null
     # Whether asynchronous uploads via MSC2246 should be enabled for media.
     # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_appservice_kakaotalk_homeserver_async_media | to_json }}
 
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.

roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml

@@ -37,6 +37,9 @@ matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_pa
 
 matrix_beeper_linkedin_homeserver_address: ""
 matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}"
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_beeper_linkedin_homeserver_async_media: false
 matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319"
 
 matrix_beeper_linkedin_bridge_presence: true

roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2

@@ -21,7 +21,7 @@ homeserver:
     message_send_checkpoint_endpoint: null
     # Whether asynchronous uploads via MSC2246 should be enabled for media.
     # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_beeper_linkedin_homeserver_async_media | to_json }}
 
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 7.0.0
+matrix_hookshot_version: 7.1.0
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -181,6 +181,9 @@ matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hoo
 matrix_hookshot_generic_userIdPrefix: '_webhooks_'  # noqa var-naming
 matrix_hookshot_generic_allowJsTransformationFunctions: false  # noqa var-naming
 matrix_hookshot_generic_waitForComplete: false  # noqa var-naming
+matrix_hookshot_generic_sendExpiryNotice: false  # noqa var-naming
+matrix_hookshot_generic_requireExpiryTime: false  # noqa var-naming
+matrix_hookshot_generic_maxExpiryTime: "30d"  # noqa var-naming
 
 
 matrix_hookshot_feeds_enabled: true

roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2

@@ -80,6 +80,9 @@ generic:
   userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }}
   allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }}
   waitForComplete: {{ matrix_hookshot_generic_waitForComplete | to_json }}
+  sendExpiryNotice: {{ matrix_hookshot_generic_sendExpiryNotice | to_json }}
+  requireExpiryTime: {{ matrix_hookshot_generic_requireExpiryTime | to_json }}
+  maxExpiryTime: {{ matrix_hookshot_generic_maxExpiryTime | to_json }}
 {% endif %}
 {% if matrix_hookshot_feeds_enabled %}
 feeds:

roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml

@@ -28,6 +28,9 @@ matrix_mautrix_bluesky_data_path: "{{ matrix_mautrix_bluesky_base_path }}/data"
 matrix_mautrix_bluesky_docker_src_files_path: "{{ matrix_mautrix_bluesky_base_path }}/docker-src"
 
 matrix_mautrix_bluesky_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_bluesky_homeserver_async_media: false
 matrix_mautrix_bluesky_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_bluesky_appservice_address: 'http://matrix-mautrix-bluesky:29340'
 

roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2

@@ -164,7 +164,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_bluesky_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml

@@ -36,6 +36,9 @@ matrix_mautrix_discord_data_path: "{{ matrix_mautrix_discord_base_path }}/data"
 matrix_mautrix_discord_docker_src_files_path: "{{ matrix_mautrix_discord_base_path }}/docker-src"
 
 matrix_mautrix_discord_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_discord_homeserver_async_media: false
 matrix_mautrix_discord_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_discord_appservice_address: "http://matrix-mautrix-discord:8080"
 

roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2

@@ -16,7 +16,7 @@ homeserver:
     # Endpoint for reporting per-message status.
     message_send_checkpoint_endpoint: null
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_discord_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -37,6 +37,9 @@ matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_
 matrix_mautrix_facebook_command_prefix: "!fb"
 
 matrix_mautrix_facebook_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_facebook_homeserver_async_media: false
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
 
 # Whether or not the public-facing endpoints should be enabled (web-based login)

roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2

@@ -14,7 +14,7 @@ homeserver:
     asmux: false
     # Whether asynchronous uploads via MSC2246 should be enabled for media.
     # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_mautrix_facebook_homeserver_async_media | to_json }}
 
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.6.4
+matrix_mautrix_gmessages_version: v0.6.5
 
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
@@ -33,6 +33,9 @@ matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/da
 matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src"
 
 matrix_mautrix_gmessages_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_gmessages_homeserver_async_media: false
 matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
 

roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2

@@ -168,7 +168,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_gmessages_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.5.2
+matrix_mautrix_meta_instagram_version: v0.5.3
 
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
@@ -116,6 +116,9 @@ matrix_mautrix_meta_instagram_database_sslmode: disable
 matrix_mautrix_meta_instagram_database_connection_string: 'postgres://{{ matrix_mautrix_meta_instagram_database_username }}:{{ matrix_mautrix_meta_instagram_database_password }}@{{ matrix_mautrix_meta_instagram_database_hostname }}:{{ matrix_mautrix_meta_instagram_database_port }}/{{ matrix_mautrix_meta_instagram_database_name }}?sslmode={{ matrix_mautrix_meta_instagram_database_sslmode }}'
 
 matrix_mautrix_meta_instagram_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_meta_instagram_homeserver_async_media: false
 matrix_mautrix_meta_instagram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_meta_instagram_homeserver_token: ''
 

roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2

@@ -181,7 +181,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_meta_instagram_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.5.2
+matrix_mautrix_meta_messenger_version: v0.5.3
 
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
@@ -117,6 +117,9 @@ matrix_mautrix_meta_messenger_database_connection_string: 'postgres://{{ matrix_
 
 matrix_mautrix_meta_messenger_homeserver_address: ""
 matrix_mautrix_meta_messenger_homeserver_domain: '{{ matrix_domain }}'
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_meta_messenger_homeserver_async_media: false
 matrix_mautrix_meta_messenger_homeserver_token: ''
 
 matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta_messenger_identifier }}:29319"

roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2

@@ -181,7 +181,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_meta_messenger_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.8.5
+matrix_mautrix_signal_version: v0.8.6
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -42,6 +42,9 @@ matrix_mautrix_signal_docker_src_files_path: "{{ matrix_mautrix_signal_base_path
 
 matrix_mautrix_signal_homeserver_address: ""
 matrix_mautrix_signal_homeserver_domain: "{{ matrix_domain }}"
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_signal_homeserver_async_media: false
 matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 
 matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -159,7 +159,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint: null
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_signal_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2.2
+matrix_mautrix_slack_version: v0.2.3
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"
@@ -32,6 +32,9 @@ matrix_mautrix_slack_docker_src_files_path: "{{ matrix_mautrix_slack_base_path }
 
 matrix_mautrix_slack_homeserver_address: ""
 matrix_mautrix_slack_homeserver_domain: "{{ matrix_domain }}"
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_slack_homeserver_async_media: false
 matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080"
 
 matrix_mautrix_slack_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"

roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2

@@ -197,7 +197,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_slack_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -79,6 +79,9 @@ matrix_mautrix_telegram_public_endpoint: "{{ matrix_mautrix_telegram_path_prefix
 
 matrix_mautrix_telegram_homeserver_address: ""
 matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}'
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_telegram_homeserver_async_media: false
 matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080'
 matrix_mautrix_telegram_appservice_public_external: '{{ matrix_mautrix_telegram_scheme }}://{{ matrix_mautrix_telegram_hostname }}{{ matrix_mautrix_telegram_public_endpoint }}'
 
@@ -230,12 +233,12 @@ matrix_mautrix_telegram_registration_yaml: |
   namespaces:
       users:
       - exclusive: true
-        regex: '^@telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
+        regex: '^@{{ matrix_mautrix_telegram_username_template | replace('{userid}', '.+') }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
       - exclusive: true
         regex: '^@{{ matrix_mautrix_telegram_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
       aliases:
       - exclusive: true
-        regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
+        regex: '^#{{ matrix_mautrix_telegram_alias_template | replace('{groupname}', '.+') }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
   # See https://github.com/mautrix/signal/issues/43
   sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
   url: {{ matrix_mautrix_telegram_appservice_address }}

roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -21,7 +21,7 @@ homeserver:
     message_send_checkpoint_endpoint: null
     # Whether asynchronous uploads via MSC2246 should be enabled for media.
     # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_mautrix_telegram_homeserver_async_media | to_json }}
 
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.4.3
+matrix_mautrix_twitter_version: v0.5.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"
@@ -36,6 +36,9 @@ matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data"
 matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src"
 
 matrix_mautrix_twitter_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_twitter_homeserver_async_media: false
 matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
 

roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2

@@ -164,7 +164,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_twitter_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.12.3
+matrix_mautrix_whatsapp_version: v0.12.4
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
@@ -44,6 +44,9 @@ matrix_mautrix_whatsapp_docker_src_files_path: "{{ matrix_mautrix_whatsapp_base_
 
 matrix_mautrix_whatsapp_homeserver_address: ""
 matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_mautrix_whatsapp_homeserver_async_media: false
 matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
 
 matrix_mautrix_whatsapp_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"

roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -255,7 +255,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_whatsapp_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-bridge-wechat/defaults/main.yml

@@ -47,6 +47,9 @@ matrix_wechat_agent_container_src_files_path: "{{ matrix_wechat_base_path }}/age
 
 matrix_wechat_homeserver_address: ""
 matrix_wechat_homeserver_domain: "{{ matrix_domain }}"
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
+matrix_wechat_homeserver_async_media: false
 matrix_wechat_appservice_address: 'http://matrix-wechat:8080'
 
 matrix_wechat_container_network: ""

roles/custom/matrix-bridge-wechat/templates/config.yaml.j2

@@ -16,7 +16,7 @@ homeserver:
     # Endpoint for reporting per-message status.
     message_send_checkpoint_endpoint: null
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_wechat_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,

roles/custom/matrix-client-cinny/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 
 # renovate: datasource=docker depName=ajbura/cinny
-matrix_client_cinny_version: v4.9.0
+matrix_client_cinny_version: v4.10.0
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}"
 matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.109
+matrix_client_element_version: v1.11.110
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
@@ -186,6 +186,7 @@ matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_client_element_integrations_widgets_urls: ["https://scalar.vector.im/api"]
 matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_client_element_permalink_prefix: "https://matrix.to"  # noqa var-naming
+matrix_client_element_mobile_guide_app_variant: "element"
 matrix_client_element_bug_report_endpoint_url: "https://element.io/bugreports/submit"
 matrix_client_element_show_lab_settings: true  # noqa var-naming
 # Element public room directory server(s)

roles/custom/matrix-client-element/templates/config.json.j2

@@ -11,6 +11,7 @@
 	"setting_defaults": {
 		"custom_themes": {{ matrix_client_element_setting_defaults_custom_themes | to_json }}
 	},
+	"mobile_guide_app_variant": {{ matrix_client_element_mobile_guide_app_variant | string | to_json }},
 	"default_theme": {{ matrix_client_element_default_theme | string | to_json }},
 	"default_country_code": {{ matrix_client_element_default_country_code | string | to_json }},
 	"permalink_prefix": {{ matrix_client_element_permalink_prefix | string | to_json }},

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.0.0
+matrix_client_fluffychat_version: v2.1.1
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-schildichat/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_client_schildichat_container_image_self_build_version: "{{ 'lite' if matr
 matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/schildichat-web
-matrix_client_schildichat_version: 1.11.103-sc.0.test.0
+matrix_client_schildichat_version: 1.11.109-sc.0.test.0
 matrix_client_schildichat_docker_image: "{{ matrix_client_schildichat_docker_image_registry_prefix }}etkecc/schildichat-web:{{ matrix_client_schildichat_version }}"
 matrix_client_schildichat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_schildichat_container_image_self_build else matrix_client_schildichat_docker_image_registry_prefix_upstream }}"
 matrix_client_schildichat_docker_image_registry_prefix_upstream: "{{ matrix_client_schildichat_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-corporal/defaults/main.yml

@@ -16,7 +16,7 @@
 matrix_corporal_enabled: true
 
 # renovate: datasource=docker depName=ghcr.io/devture/matrix-corporal
-matrix_corporal_version: 3.1.4
+matrix_corporal_version: 3.1.6
 
 matrix_corporal_container_image_self_build: false
 matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"

roles/custom/matrix-dendrite/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_dendrite_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dendrit
 matrix_dendrite_docker_image_registry_prefix_upstream: "{{ matrix_dendrite_docker_image_registry_prefix_upstream_default }}"
 matrix_dendrite_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith
-matrix_dendrite_docker_image_tag: "v0.15.1"
+matrix_dendrite_docker_image_tag: "v0.15.2"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
 
 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.14.1
+matrix_element_call_version: v0.15.0
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-rageshake/defaults/main.yml

@@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: /
 # There are no stable container image tags yet.
 # See: https://github.com/matrix-org/rageshake/issues/69
 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake
-matrix_rageshake_version: 1.16.2
+matrix_rageshake_version: 1.16.3
 
 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake"
 matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config"

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke45
+matrix_synapse_admin_version: v0.11.1-etke47
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"
@@ -166,6 +166,8 @@ matrix_synapse_admin_path_prefix: /synapse-admin
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 matrix_synapse_admin_configuration_default:
   restrictBaseUrl: "{{ matrix_synapse_admin_config_restrictBaseUrl }}"
+  externalAuthProvider: "{{ matrix_synapse_admin_config_externalAuthProvider }}"
+  corsCredentials: "{{ matrix_synapse_admin_config_corsCredentials }}"
   asManagedUsers: "{{ matrix_synapse_admin_config_asManagedUsers }}"
   menu: "{{ matrix_synapse_admin_config_menu }}"
 
@@ -197,7 +199,16 @@ matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_defau
 
 # Controls the restrictBaseUrl configuration setting, which, if defined,
 # restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
-matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}"  # noqa var-naming
+matrix_synapse_admin_config_restrictBaseUrl: "{{ matrix_homeserver_url }}"  # noqa var-naming
+
+# Controls the externalAuthProvider configuration setting, which, if defined,
+# enables a special compatibility mode that works better for external auth providers like LDAP, MAS, etc.
+matrix_synapse_admin_config_externalAuthProvider: false  # noqa var-naming
+
+# Controls the corsCredentials configuration setting, which, if defined,
+# allows including credentials (cookies, authorization headers, or TLS client certificates) in requests
+# ref: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials
+matrix_synapse_admin_config_corsCredentials: "same-origin"  # noqa var-naming
 
 # Controls the menu configuration setting, which, if defined, adds new menu items to the Synapse Admin UI.
 # The format is a list of objects, where each object has the following keys:

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.136.0
+matrix_synapse_version: v1.137.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -374,6 +374,10 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
 matrix_synapse_allow_guest_access: false
 matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 
+
+# Controls how to reach server admin, used in ResouceLimitError
+matrix_synapse_admin_contact: ~
+
 matrix_synapse_max_upload_size_mb: 50
 
 # Controls whether local media should be removed under certain conditions, typically for the purpose of saving space.
@@ -1216,13 +1220,6 @@ matrix_synapse_email_app_name: Matrix
 matrix_synapse_email_client_base_url: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_element }}"
 matrix_synapse_email_invite_client_location: "https://app.element.io"
 
-
-################################################################################
-#
-# Next-generation auth for Matrix, based on OAuth 2.0/OIDC
-#
-################################################################################
-
 # Controls whether to enable the "send typing, presence and receipts to appservices" experimental feature.
 #
 # See:
@@ -1244,50 +1241,29 @@ matrix_synapse_experimental_features_msc3202_device_masquerading_enabled: false
 # - https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html#running-with-synapse
 matrix_synapse_experimental_features_msc3202_transaction_extensions_enabled: false
 
-# Controls whether to enable the "Next-generation auth for Matrix, based on OAuth 2.0/OIDC" experimental feature.
+################################################################################
 #
+# Next-generation auth for Matrix, based on OAuth 2.0/OIDC
+#
+################################################################################
+
+# Controls whether to enable "Matrix Authentication Service" integration ("Next-generation auth for Matrix, based on OAuth 2.0/OIDC").
 # See:
+# - https://github.com/element-hq/matrix-authentication-service
 # - https://matrix.org/blog/2023/09/better-auth/
 # - https://github.com/matrix-org/matrix-spec-proposals/pull/3861
-matrix_synapse_experimental_features_msc3861_enabled: false
+matrix_synapse_matrix_authentication_service_enabled: false
 
-# Specifies the issuer URL for the OAuth 2.0/OIDC authentication provider.
-#
-# This can be set to a private (container) URL.
-#
-# Example: https://matrix.example.com/auth/
-matrix_synapse_experimental_features_msc3861_issuer: ''
+# Specifies the base URL where the Matrix Authentication Service is running.
+matrix_synapse_matrix_authentication_service_endpoint: ""
 
-# Specifies the introspection endpoint URL for the OAuth 2.0/OIDC authentication provider.
-#
-# This can be set to a private (container) URL.
-#
-# If this is left empty, `{issuer}/.well-known/openid-configuration` will be fetched and the `introspection_endpoint` will be extracted from there.
-# We define it explicitly, because this allows us to override it and use an internal (container network) URL instead of using the public one.
-# Avoiding public addresses is an optimization that decreases overhead due to public networking and SSL termination.
-#
-# Example: https://matrix.example.com/auth/oauth2/introspect
-matrix_synapse_experimental_features_msc3861_introspection_endpoint: "{{ matrix_synapse_experimental_features_msc3861_issuer + 'oauth2/introspect' }}"
-
-# A unique identifier for the client.
-#
-# It must be a valid ULID (https://github.com/ulid/spec),
-# and it happens that 0000000000000000000SYNAPSE is a valid ULID.
-matrix_synapse_experimental_features_msc3861_client_id: '0000000000000000000SYNAPSE'
-
-matrix_synapse_experimental_features_msc3861_client_auth_method: client_secret_basic
-
-matrix_synapse_experimental_features_msc3861_client_secret: ''
-
-# A token that can be used to make admin API calls.
-# Matches `matrix.secret` in the matrix-authentication-service config
-matrix_synapse_experimental_features_msc3861_admin_token: ''
-
-# URL to advertise to clients where users can self-manage their account.
-matrix_synapse_experimental_features_msc3861_account_management_url: ''
+# Specifies the shared secret used to authenticate Matrix Authentication Service requests.
+# Must be the same as `matrix.secret` in the Matrix Authentication Service configuration.
+# See https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#matrix
+matrix_synapse_matrix_authentication_service_secret: ""
 
 # Controls whether to enable the "QR code login" experimental feature.
-# Enabling this requires that MSC3861 (see `matrix_synapse_experimental_features_msc3861_enabled`) is also enabled.
+# Enabling this requires that Matrix Authentication Service integration (see `matrix_synapse_matrix_authentication_service_enabled`) is also enabled.
 matrix_synapse_experimental_features_msc4108_enabled: false
 
 ################################################################################

roles/custom/matrix-synapse/tasks/main.yml

@@ -62,7 +62,7 @@
 - tags:
     - register-user
   block:
-    - when: matrix_synapse_enabled and not matrix_synapse_experimental_features_msc3861_enabled
+    - when: matrix_synapse_enabled and not matrix_synapse_matrix_authentication_service_enabled
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml"
 
 - tags:

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -39,23 +39,11 @@
     - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
     - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
 
-    - {'name': 'matrix_synapse_experimental_features_msc3861_issuer', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_client_id', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_client_auth_method', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_client_secret', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_admin_token', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_account_management_url', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
+    - {'name': 'matrix_synapse_matrix_authentication_service_endpoint', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}
+    - {'name': 'matrix_synapse_matrix_authentication_service_secret', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}
 
     - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}
 
-# If only MSC 4108 is enabled, Synapse fails with: "MSC4108 requires MSC3861 to be enabled"
-- name: Fail if Synapse experimental feature QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
-  ansible.builtin.fail:
-    msg: >-
-      QR code login (MSC4108) requires Next-Gen Auth (MSC3861) to be enabled or Synapse will fail to start.
-      Enable `matrix_synapse_experimental_features_msc3861_enabled` when using `matrix_synapse_experimental_features_msc4108_enabled`.
-  when: "matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled"
-
 - name: Fail if asking for more than 1 instance of single-instance workers
   ansible.builtin.fail:
     msg: >-
@@ -121,6 +109,14 @@
     - {'old': 'matrix_s3_goofys_docker_image_name_prefix', 'new': 'matrix_s3_goofys_docker_image_registry_prefix'}
     - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix', 'new': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix'}
 
+    - {'old': 'matrix_synapse_experimental_features_msc3861_enabled', 'new': 'matrix_synapse_matrix_authentication_service_enabled'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_issuer', 'new': '<superseded by matrix_synapse_matrix_authentication_service_endpoint>'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_client_id', 'new': '<removed>'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_client_auth_method', 'new': '<removed>'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_client_secret', 'new': '<removed>'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_admin_token', 'new': '<removed>'}
+    - {'old': 'matrix_synapse_experimental_features_msc3861_account_management_url', 'new': '<removed>'}
+
 - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
   ansible.builtin.fail:
     msg: >-
@@ -163,8 +159,8 @@
 
 - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
-    msg: "When Synapse is delegating authentication to Matrix Authentication Service, it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_experimental_features_msc3861_enabled and vars[item] | bool
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and vars[item] | bool
   with_items:
     - matrix_synapse_ext_password_provider_rest_auth_enabled
     - matrix_synapse_ext_password_provider_shared_secret_auth_enabled
@@ -172,10 +168,30 @@
 
 - name: Fail if password config is enabled for Synapse when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
-    msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_password_config_enabled
 
-- name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
+- name: Fail if registration is enabled for Synapse when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
-    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
-  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration (`matrix_synapse_enable_registration: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration
+
+- name: Fail if registration CAPTCHA is enabled for Synapse when auth is delegated to Matrix Authentication Service
+  ansible.builtin.fail:
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration CAPTCHA (`matrix_synapse_enable_registration_captcha: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration_captcha
+
+- name: Fail if OpenID Connect is enabled for Synapse when auth is delegated to Matrix Authentication Service
+  ansible.builtin.fail:
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable OpenID Connect (`matrix_synapse_oidc_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled
+
+- name: Fail if CAS config is enabled for Synapse when auth is delegated to Matrix Authentication Service
+  ansible.builtin.fail:
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable CAS config (`matrix_synapse_cas_config_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_cas_config_enabled
+
+- name: Fail if QR code login (MSC4108) is enabled while Matrix Authentication Service is not
+  ansible.builtin.fail:
+    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Matrix Authentication Service integration (`matrix_synapse_matrix_authentication_service_enabled`) must also be enabled."
+  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_matrix_authentication_service_enabled

roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2

@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: True
 #!/bin/bash
 
-{% if matrix_synapse_experimental_features_msc3861_enabled %}
+{% if matrix_synapse_matrix_authentication_service_enabled %}
 	echo "Registering users is handled by the Matrix Authentication Service, so you cannot use this script anymore."
 	echo "Consider using the {{ matrix_synapse_register_user_script_matrix_authentication_service_path }} script instead."
 	exit 2

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -391,7 +391,7 @@ manhole_settings:
 
 # How to reach the server admin, used in ResourceLimitError
 #
-#admin_contact: 'mailto:admin@example.com'
+admin_contact: {{ matrix_synapse_admin_contact | to_json }}
 
 # Global blocking
 #
@@ -2971,6 +2971,14 @@ background_updates:
     #
     #default_batch_size: 50
 
+
+{% if matrix_synapse_matrix_authentication_service_enabled %}
+matrix_authentication_service:
+  enabled: true
+  endpoint: {{ matrix_synapse_matrix_authentication_service_endpoint | to_json }}
+  secret: {{ matrix_synapse_matrix_authentication_service_secret | to_json }}
+{% endif %}
+
 experimental_features:
   {% if matrix_synapse_experimental_features_msc2409_to_device_messages_enabled %}
   msc2409_to_device_messages_enabled: true
@@ -2984,17 +2992,6 @@ experimental_features:
   {% if matrix_synapse_experimental_features_msc3266_enabled %}
   msc3266_enabled: true
   {% endif %}
-  {% if matrix_synapse_experimental_features_msc3861_enabled %}
-  msc3861:
-    enabled: true
-    issuer: {{ matrix_synapse_experimental_features_msc3861_issuer | to_json }}
-    introspection_endpoint: {{ matrix_synapse_experimental_features_msc3861_introspection_endpoint | to_json }}
-    client_id: {{ matrix_synapse_experimental_features_msc3861_client_id | to_json }}
-    client_auth_method: {{ matrix_synapse_experimental_features_msc3861_client_auth_method | to_json }}
-    client_secret: {{ matrix_synapse_experimental_features_msc3861_client_secret | to_json }}
-    admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
-    account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
-  {% endif %}
   {% if matrix_synapse_experimental_features_msc4108_enabled %}
   msc4108_enabled: true
   {% endif %}

roles/custom/matrix_playbook_migration/tasks/main.yml

@@ -10,7 +10,7 @@
   block:
     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 
-- when: ansible_os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_debian_signedby_migration_enabled | bool
+- when: ansible_facts.os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_debian_signedby_migration_enabled | bool
   tags:
     - setup-all
     - install-all
@@ -19,7 +19,7 @@
   block:
     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/debian_docker_signedby_migration.yml"
 
-- when: ansible_os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_docker_trusted_gpg_d_migration_enabled | bool
+- when: ansible_facts.os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_docker_trusted_gpg_d_migration_enabled | bool
   tags:
     - setup-all
     - install-all