chore(deps): update dependency prometheus_postgres_exporter to v0.18.1-0

chore(deps): update dependency etherpad to v2.5.0-3
chore(deps): update dependency jitsi to v10532
2026-01-31 17:03:29 +03:00 · 2025-09-30 10:19:49 +03:00 · 2025-09-30 06:17:38 +03:00 · 2025-09-30 06:17:27 +03:00 · 2025-09-29 10:21:19 +03:00 · 2025-09-28 06:51:49 +03:00
95 changed files with 1416 additions and 160 deletions
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -19,7 +19,7 @@ jobs:
    if: github.repository == 'spantaleev/matrix-docker-ansible-deploy'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          ######################################################################
          # Issues/PRs
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -26,7 +26,7 @@ jobs:
        uses: actions/checkout@v5
      - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.8.1
+        uses: ansible/ansible-lint@v25.9.0
        with:
          args: "roles/custom"
          setup_python: "true"
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -21,6 +21,6 @@ repos:
      - id: codespell
        args: ["--skip=*.po,*.pot,i18n/"]
  - repo: https://github.com/fsfe/reuse-tool  # https://reuse.software/dev/#pre-commit-hook
-    rev: v5.0.2
+    rev: v5.1.1
    hooks:
      - id: reuse
--- a/README.md
+++ b/README.md
@@ -141,6 +141,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mx-puppet-discord](https://gitlab.com/mx-puppet/discord/mx-puppet-discord) | ❌ | Bridge to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-discord.md) |
 | [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
 | [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |
 | [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
 | [Postmoogle](https://github.com/etkecc/postmoogle) | ❌ | Email to Matrix bridge | [Link](docs/configuring-playbook-bridge-postmoogle.md) |
 ### Bots
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -20,10 +20,13 @@ To manually check which version of Ansible you're on, run: `ansible --version`.
 For the **best experience**, we recommend getting the **latest version of Ansible available**.
-We're not sure what's the minimum version of Ansible that can run this playbook successfully. The lowest version that we've confirmed (on 2022-11-26) to be working fine is: `ansible-core` (`2.11.7`) combined with `ansible` (`4.10.0`).
+We're not sure what's the minimum version of Ansible that can run this playbook successfully. The lowest version that we suspect (on 2025-09-03) to be working fine is: `ansible-core` (`2.15.1`).
 If your distro ships with an Ansible version older than this, you may run into issues. Consider [Upgrading Ansible](#upgrading-ansible) or [using Ansible via Docker](#using-ansible-via-docker).
 > [!WARNING]
 > One reason for the version requirement being as such is that the playbook by default installs Docker for you using [this Docker role](https://github.com/geerlingguy/ansible-role-docker) which [has a hard requirement on Ansible v2.15.1](https://github.com/geerlingguy/ansible-role-docker/commit/7f44a1d9ad8132819ea9852918bca5dab8757cd0). If you install Docker yourself another way, you can tell the playbook to skip running this role (by adding `matrix_playbook_docker_installation_enabled: false` to your `vars.yml` configuration). It may then be possible to get the playbook running on an older version of Ansible. Still, this is a complication and your mileage may vary. We recommend [upgrading Ansible](#upgrading-ansible) instead of going into uncharted territory.
 ## Upgrading Ansible
 Depending on your distribution, you may be able to upgrade Ansible in a few different ways:
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -242,9 +242,12 @@ For Draupnir to do its job, you need to [give it permissions](https://the-draupn
 We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
-Policy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
+Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:
-You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
+- `#community-moderation-effort-bl:neko.dev`
 - `#huginn-muninn-active-threats:feline.support`
 You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)
 #### Creating your own policy lists and rules
@@ -270,14 +273,14 @@ You can undo bans with the [unban command](https://the-draupnir-project.github.i
 ### Enabling built-in protections
-You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuit` ("If X amount of users join in Y time, set the room to invite-only").
+You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` ("If X amount of users join in Y time, set the room to invite-only").
 To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room.
-To **see the configuration options for a given protection**, send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuit`).
+To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`).
-To **set a specific option for a given protection**, send a command like this: `!draupnir config set PROTECTION_NAME.OPTION VALUE` (e.g. `!draupnir config set JoinWaveShortCircuit.timescaleMinutes 30`).
+To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`).
-To **enable a given protection**, send a command like this: `!draupnir enable PROTECTION_NAME` (e.g. `!draupnir enable JoinWaveShortCircuit`).
+To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`).
-To **disable a given protection**, send a command like this: `!draupnir disable PROTECTION_NAME` (e.g. `!draupnir disable JoinWaveShortCircuit`).
+To **disable a given protection**, send a command like this: `!draupnir protections disable PROTECTION_NAME` (e.g. `!draupnir protections disable JoinWaveShortCircuitProtection`).
--- a/docs/configuring-playbook-bot-matrix-registration-bot.md
+++ b/docs/configuring-playbook-bot-matrix-registration-bot.md
@@ -37,6 +37,10 @@ matrix_synapse_enable_registration: true
 # Restrict registration to users with a token
 matrix_synapse_registration_requires_token: true
 # Set an optional command prefix for the bot. This can be any arbitrary string, including whitespace.
 # Example: "!regbot "
 matrix_bot_matrix_registration_bot_bot_prefix: ""
 ```
 The bot account will be created automatically.
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@@ -35,7 +35,7 @@ matrix_hookshot_enabled: true
 # Uncomment to enable end-to-bridge encryption.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
-# matrix_hookshot_experimental_encryption_enabled: true
+# matrix_hookshot_encryption_enabled: true
 # Uncomment and paste the contents of GitHub app private key to enable GitHub bridge.
 # Alternatively, you can use one of the other methods explained below on the "Manage GitHub Private Key with aux role" section.
--- a/docs/configuring-playbook-bridge-mx-puppet-steam.md
+++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md
@@ -7,7 +7,9 @@ SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
-# Setting up MX Puppet Steam bridging (optional)
+# Setting up MX Puppet Steam bridging (optional, deprecated)
 **Note**: This bridge has been deprecated in favor of the [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) bridge for Steam, which can be [installed using this playbook](configuring-playbook-bridge-steam.md). Consider using that bridge instead of this one.
 The playbook can install and configure [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) for you.
--- a/docs/configuring-playbook-bridge-steam.md
+++ b/docs/configuring-playbook-bridge-steam.md
@@ -0,0 +1,48 @@
 <!--
 SPDX-FileCopyrightText: 2025 Jason LaGuidice
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 # Setting up Steam bridging (optional)
 The playbook can install and configure [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) for you.
 See the project's [documentation](https://github.com/jasonlaguidice/matrix-steam-bridge/blob/main/README.md) to learn what it does and why it might be useful to you.
 ## Adjusting the playbook configuration
 To enable the [Steam](https://steampowered.com/) bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 ```yaml
 matrix_steam_bridge_enabled: true
 ```
 ## Installing
 After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:
 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` and `just setup-all`
 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
 The tag for `just` commands for this bridge is `matrix-steam-bridge` - for example: `just install-service matrix-steam-bridge`
 ## Usage
 To use the bridge, you need to start a chat with `Steam bridge bot` with the handle `@steambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).
 The bridge supports QR code and password-based login as well as SteamGuard codes via app, SMS, or e-mail. See matrix-steam-bridge [documentation](https://github.com/jasonlaguidice/matrix-steam-bridge) for more information about how to configure the bridge.
 To login, send `login [flow ID]` where possible flow IDs are `password` or `qr`
 Once logged in, send `search [name]` to search through recognized Steam friends. You can send a user name, display name, or all forms of Steam ID. Send `start-chat [identifier]` to request the bridge bot to open a chat room with a user.
 Chat rooms will automatically be opened as new messages are received.
 Send `help` to the bot to see the available commands.
--- a/docs/configuring-playbook-matrix-rtc.md
+++ b/docs/configuring-playbook-matrix-rtc.md
@@ -16,7 +16,6 @@ The Matrix RTC stack is a set of supporting components ([LiveKit Server](configu
 ## Prerequisites
 - A [Synapse](configuring-playbook-synapse.md) homeserver (see the warning below)
 - [Federation](configuring-playbook-federation.md) being enabled for your Matrix homeserver (federation is enabled by default, unless you've explicitly disabled it), because [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) currently [requires it](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562#issuecomment-2725250554) ([relevant source code](https://github.com/element-hq/lk-jwt-service/blob/f5f5374c4bdcc00a4fb13d27c0b28e20e4c62334/main.go#L135-L146))
 - Various experimental features for the Synapse homeserver which Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) (automatically done when Element Call is enabled)
 - A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
 - The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -184,6 +184,8 @@ Bridges can be used to connect your Matrix installation with third-party communi
 - [Setting up MX Puppet GroupMe bridging](configuring-playbook-bridge-mx-puppet-groupme.md)
 - [Setting up Steam bridging](configuring-playbook-bridge-steam.md)
 - [Setting up MX Puppet Steam bridging](configuring-playbook-bridge-mx-puppet-steam.md)
 - [Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md)
--- a/docs/container-images.md
+++ b/docs/container-images.md
@@ -114,6 +114,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) | [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) | ❌ | Bridge for Twitter-DMs ([Twitter](https://twitter.com/)) |
 | [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) | [mx-puppet/discord/mx-puppet-discord](https://gitlab.com/mx-puppet/discord/mx-puppet-discord/container_registry) | ❌ | Bridge to [Discord](https://discordapp.com/) |
 | [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
 | [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |
 | [mx-puppet-steam](configuring-playbook-bridge-mx-puppet-steam.md) | [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) |
 | [Postmoogle](configuring-playbook-bridge-postmoogle.md) | [etke.cc/postmoogle](https://github.com/etkecc/postmoogle/container_registry) | ❌ | Email to Matrix bridge |
@@ -158,7 +159,7 @@ Various services that don't fit any other categories.
 | ------- | --------------- | -------- | ----------- |
 | [sliding-sync](configuring-playbook-sliding-sync-proxy.md) | [matrix-org/sliding-sync](https://ghcr.io/matrix-org/sliding-sync) | ❌ | Sliding Sync support for clients which require it (like old Element X versions, before it got switched to Simplified Sliding Sync) |
 | [synapse_auto_accept_invite](configuring-playbook-synapse-auto-accept-invite.md) | (N/A) | ❌ | Synapse module to automatically accept invites |
-| [synapse_auto_compressor](configuring-playbook-synapse-auto-compressor.md) | [etke.cc/rust-synapse-compress-state](https://gitlab.com/etke.cc/rust-synapse-compress-state/container_registry) | ❌ | Cli tool that automatically compresses `state_groups` database table in background |
+| [synapse_auto_compressor](configuring-playbook-synapse-auto-compressor.md) | [mb-saces/rust-synapse-tools](https://gitlab.com/mb-saces/rust-synapse-tools/container_registry) | ❌ | Cli tool that automatically compresses Synapse's `state_groups` database table in background |
 | [Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced) | [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) | ❌ | Reconciliator and gateway for a managed Matrix server |
 | [Etherpad](configuring-playbook-etherpad.md) | [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) | ❌ | Open source collaborative text editor |
 | [Jitsi](configuring-playbook-jitsi.md) | [jitsi/web](https://hub.docker.com/r/jitsi/web) | ❌ | [Jitsi](https://jitsi.org/) web UI |
--- a/docs/maintenance-postgres.md
+++ b/docs/maintenance-postgres.md
@@ -104,12 +104,12 @@ To save disk space in `/tmp`, the dump file is gzipped on the fly at the expense
 PostgreSQL can be [tuned](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) to make it run faster. This is done by passing extra arguments to the Postgres process.
-The [Postgres Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-postgres) **already does some tuning by default**, which matches the [tuning logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) done by websites like https://pgtune.leopard.in.ua/. You can manually influence some of the tuning variables. These parameters (variables) are injected via the `postgres_postgres_process_extra_arguments_auto` variable.
+The [Postgres Ansible role](https://github.com/mother-of-all-self-hosting/ansible-role-postgres) **already does some tuning by default**, which matches the [tuning logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) done by websites like https://pgtune.leopard.in.ua/. You can manually influence some of the tuning variables. These parameters (variables) are injected via the `postgres_postgres_process_extra_arguments_default` variable.
 Most users should be fine with the automatically-done tuning. However, you may wish to:
- **adjust the automatically-determined tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/mother-of-all-self-hosting/ansible-role-postgres/blob/main/defaults/main.yml) (see `postgres_max_connections`, `postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `postgres_postgres_process_extra_arguments_auto` variable
+- **adjust the automatically-determined tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/mother-of-all-self-hosting/ansible-role-postgres/blob/main/defaults/main.yml) (see `postgres_max_connections`, `postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `postgres_postgres_process_extra_arguments_default` variable
- **turn automatically-performed tuning off**: override it like this: `postgres_postgres_process_extra_arguments_auto: []`
+- **turn automatically-performed tuning off**: override it like this: `postgres_postgres_process_extra_arguments_default: []`
- **add additional tuning parameters**: define your additional Postgres configuration parameters in `postgres_postgres_process_extra_arguments_custom`. See `postgres_postgres_process_extra_arguments_auto` defined in the Postgres role's [default configuration file](https://github.com/mother-of-all-self-hosting/ansible-role-postgres/blob/main/defaults/main.yml) for inspiration
+- **add additional tuning parameters**: define your additional Postgres configuration parameters in `postgres_postgres_process_extra_arguments_custom`. See `postgres_postgres_process_extra_arguments_default` defined in the Postgres role's [default configuration file](https://github.com/mother-of-all-self-hosting/ansible-role-postgres/blob/main/defaults/main.yml) for inspiration
--- a/examples/reverse-proxies/apache/matrix-domain.conf
+++ b/examples/reverse-proxies/apache/matrix-domain.conf
@@ -33,6 +33,12 @@
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 	ProxyTimeout 86400
 	RewriteEngine On
 	RewriteCond %{HTTP:Connection} Upgrade [NC]
 	RewriteCond %{HTTP:Upgrade} websocket [NC]
 	RewriteRule /(.*) ws://127.0.0.1:81/$1 [P,L]
 	AllowEncodedSlashes NoDecode
 	ProxyPass / http://127.0.0.1:81/ retry=0 nocanon
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -162,6 +162,8 @@ matrix_homeserver_container_extra_arguments_auto: |
    +
    (['--mount type=bind,src=' + matrix_sms_bridge_config_path + '/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro'] if matrix_sms_bridge_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_steam_bridge_config_path + '/registration.yaml,dst=/matrix-steam-bridge-registration.yaml,ro'] if matrix_steam_bridge_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else [])
  }}
@@ -236,6 +238,8 @@ matrix_homeserver_app_service_config_files_auto: |
    (['/matrix-sms-bridge-registration.yaml'] if matrix_sms_bridge_enabled else [])
    +
    (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else [])
    +
    (['/matrix-steam-bridge-registration.yaml'] if matrix_steam_bridge_enabled else [])
  }}
 matrix_addons_homeserver_container_network: "{{ matrix_playbook_reverse_proxy_container_network if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_network }}"
@@ -381,6 +385,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-sms-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'sms']}] if matrix_sms_bridge_enabled else [])
    +
    ([{'name': 'matrix-steam-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'matrix-steam-bridge']}] if matrix_steam_bridge_enabled else [])
    +
    ([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else [])
    +
    ([{'name': 'matrix-cactus-comments-client.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments-client']}] if matrix_cactus_comments_client_enabled else [])
@@ -666,6 +672,7 @@ matrix_authentication_service_config_passwords_schemes:
  - version: 1
    secret: "{{ matrix_synapse_password_config_pepper }}"
    algorithm: bcrypt
    unicode_normalization: true
  - version: 2
    algorithm: argon2id
@@ -986,6 +993,8 @@ matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserve
 matrix_appservice_kakaotalk_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}"
 matrix_appservice_kakaotalk_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
@@ -1035,6 +1044,8 @@ matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_beeper_linkedin_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}"
 matrix_beeper_linkedin_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_beeper_linkedin_bridge_login_shared_secret_map_auto: |-
  {{
    ({
@@ -1155,6 +1166,8 @@ matrix_mautrix_bluesky_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_bluesky_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_bluesky_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'bsky.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_bluesky_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_bluesky_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.bsky.prov', rounds=655555) | to_uuid }}"
 matrix_mautrix_bluesky_double_puppet_secrets_auto: |-
@@ -1224,6 +1237,8 @@ matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_discord_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}"
 matrix_mautrix_discord_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_discord_bridge_avatar_proxy_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.avatar', rounds=655555) | to_uuid }}"
 matrix_mautrix_discord_hostname: "{{ matrix_server_fqn_matrix }}"
@@ -1290,6 +1305,8 @@ matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_gener
 matrix_mautrix_slack_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}"
 matrix_mautrix_slack_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_slack_double_puppet_secrets_auto: |-
  {{
    {
@@ -1363,6 +1380,8 @@ matrix_mautrix_facebook_homeserver_address: "{{ matrix_addons_homeserver_client_
 matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_facebook_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_facebook_appservice_public_enabled: true
 matrix_mautrix_facebook_appservice_public_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_facebook_appservice_public_prefix: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}"
@@ -1583,6 +1602,8 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_signal_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_signal_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_signal_double_puppet_secrets_auto: |-
@@ -1661,6 +1682,8 @@ matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_c
 matrix_mautrix_meta_messenger_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.hs', rounds=655555) | to_uuid }}"
 matrix_mautrix_meta_messenger_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_meta_messenger_double_puppet_secrets_auto: |-
  {{
    {
@@ -1737,6 +1760,8 @@ matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_c
 matrix_mautrix_meta_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.hs', rounds=655555) | to_uuid }}"
 matrix_mautrix_meta_instagram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_meta_instagram_double_puppet_secrets_auto: |-
  {{
    {
@@ -1822,6 +1847,8 @@ matrix_mautrix_telegram_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_telegram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_telegram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: |-
  {{
    ({
@@ -1898,6 +1925,8 @@ matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_twitter_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_twitter_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_twitter_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twit.prov', rounds=655555) | to_uuid }}"
 matrix_mautrix_twitter_double_puppet_secrets_auto: |-
@@ -1970,6 +1999,8 @@ matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_g
 matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_gmessages_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_gmessages_double_puppet_secrets_auto: |-
  {{
    {
@@ -2088,6 +2119,8 @@ matrix_wechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secr
 matrix_wechat_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_wechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.hs.token', rounds=655555) | to_uuid }}"
 matrix_wechat_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_wechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 matrix_wechat_bridge_listen_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.lstn', rounds=655555) | to_uuid }}"
@@ -2149,6 +2182,8 @@ matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_ge
 matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}"
 matrix_mautrix_whatsapp_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_mautrix_whatsapp_double_puppet_secrets_auto: |-
  {{
    {
@@ -2738,6 +2773,82 @@ matrix_postmoogle_container_additional_networks_auto: |-
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-steam
 #
 ######################################################################
 # We don't enable bridges by default.
 matrix_steam_bridge_enabled: false
 matrix_steam_bridge_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_steam_bridge_database_hostname == postgres_connection_hostname) else [])
  }}
 matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}"
 matrix_steam_bridge_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 matrix_steam_bridge_container_network: "{{ matrix_addons_container_network }}"
 matrix_steam_bridge_container_additional_networks_auto: |-
  {{
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_steam_bridge_database_hostname == postgres_connection_hostname and matrix_steam_bridge_container_network != postgres_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_steam_bridge_container_labels_traefik_enabled else [])
    ) | unique
  }}
 matrix_steam_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_steam_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_steam_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_steam_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
 matrix_steam_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.as.token', rounds=655555) | to_uuid }}"
 matrix_steam_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_steam_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.hs.token', rounds=655555) | to_uuid }}"
 matrix_steam_bridge_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 matrix_steam_bridge_public_media_signing_key: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.pub.key', rounds=655555) | to_uuid) if matrix_steam_bridge_public_media_enabled else '' }}"
 matrix_steam_bridge_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.prov', rounds=655555) | to_uuid }}"
 matrix_steam_bridge_double_puppet_secrets_auto: |-
  {{
    ({
      matrix_steam_bridge_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
    })
    if matrix_appservice_double_puppet_enabled
    else {}
  }}
 matrix_steam_bridge_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 matrix_steam_bridge_metrics_proxying_enabled: "{{ matrix_steam_bridge_metrics_enabled and matrix_metrics_exposure_enabled }}"
 matrix_steam_bridge_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_steam_bridge_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/matrix-steam-bridge"
 matrix_steam_bridge_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_steam_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if postgres_enabled else '' }}"
 ######################################################################
 #
 # /matrix-bridge-steam
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bot-matrix-reminder-bot
@@ -4367,6 +4478,12 @@ postgres_managed_databases_auto: |
      'password': matrix_mx_puppet_groupme_database_password,
    }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_steam_bridge_database_name,
      'username': matrix_steam_bridge_database_username,
      'password': matrix_steam_bridge_database_password,
    }] if (matrix_steam_bridge_enabled and matrix_steam_bridge_database_engine == 'postgres' and matrix_steam_bridge_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_dimension_database_name,
      'username': matrix_dimension_database_username,
@@ -4871,7 +4988,7 @@ matrix_synapse_tls_federation_listener_enabled: false
 matrix_synapse_tls_certificate_path: ~
 matrix_synapse_tls_private_key_path: ~
-matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}"
+matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
 matrix_synapse_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@@ -4975,7 +5092,7 @@ matrix_synapse_auto_compressor_postgres_image: "{{ postgres_container_image_to_u
 matrix_synapse_auto_compressor_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_auto_compressor_container_image_registry_prefix_upstream_default }}"
-matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
+matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if (postgres_enabled and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host and matrix_synapse_database_host == postgres_connection_hostname) else 'matrix-synapse-auto-compressor') }}"
@@ -5095,6 +5212,8 @@ matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playboo
 matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_synapse_admin_config_externalAuthProvider: "{{ matrix_authentication_service_enabled | default(false) or matrix_synapse_ext_password_provider_ldap_enabled | default(false) }}"
 matrix_synapse_admin_config_asManagedUsers_auto: |
  {{
    ([
@@ -5230,7 +5349,7 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
    +
    ([
      '^@'+(matrix_mautrix_telegram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
-      '^@telegram_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
+      '^@'+(matrix_mautrix_telegram_username_template | regex_escape | replace('{userid}', '.+'))+':'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_telegram_enabled else [])
    +
    ([
@@ -5282,6 +5401,11 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
      '^@'+(matrix_wechat_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@_wechat_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_wechat_enabled else [])
    +
    ([
      '^@'+(matrix_steam_bridge_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@steam_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_steam_bridge_enabled else [])
  }}
 ######################################################################
--- a/i18n/requirements.txt
+++ b/i18n/requirements.txt
@@ -2,21 +2,21 @@ alabaster==1.0.0
 babel==2.17.0
 certifi==2025.8.3
 charset-normalizer==3.4.3
-click==8.2.2
+click==8.3.0
-docutils==0.22
+docutils==0.22.2
 idna==3.10
 imagesize==1.4.1
 Jinja2==3.1.6
 linkify-it-py==2.0.3
 markdown-it-py==4.0.0
-MarkupSafe==3.0.2
+MarkupSafe==3.0.3
 mdit-py-plugins==0.5.0
 mdurl==0.1.2
 myst-parser==4.0.1
 packaging==25.0
 Pygments==2.19.2
-PyYAML==6.0.2
+PyYAML==6.0.3
-requests==2.32.4
+requests==2.32.5
 setuptools==80.9.0
 snowballstemmer==3.0.1
 Sphinx==8.2.3
--- a/12
+++ b/12
@@ -6,7 +6,7 @@
 # Shows help
 default:
-    @{{ just_executable() }} --list --justfile {{ justfile() }}
+    @{{ just_executable() }} --list --justfile "{{ justfile() }}"
 # Pulls external Ansible roles
 roles:
@@ -48,7 +48,7 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star
 # Runs installation tasks for a single service
 install-service service *extra_args:
-    {{ just_executable() }} --justfile {{ justfile() }} run \
+    {{ just_executable() }} --justfile "{{ justfile() }}" run \
    --tags=install-{{ service }},start-group \
    --extra-vars=group={{ service }} \
    --extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
@@ -62,7 +62,7 @@ run +extra_args:
 # Runs the playbook with the given list of comma-separated tags and optional arguments
 run-tags tags *extra_args:
-    {{ just_executable() }} --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
+    {{ just_executable() }} --justfile "{{ justfile() }}" run --tags={{ tags }} {{ extra_args }}
 # Runs the playbook in user-registration mode
 register-user username password admin_yes_or_no *extra_args:
@@ -73,15 +73,15 @@ start-all *extra_args: (run-tags "start-all" extra_args)
 # Starts a specific service group
 start-group group *extra_args:
-    @{{ just_executable() }} --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
+    @{{ just_executable() }} --justfile "{{ justfile() }}" run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
 # Stops all services
 stop-all *extra_args: (run-tags "stop-all" extra_args)
 # Stops a specific service group
 stop-group group *extra_args:
-    @{{ just_executable() }} --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
+    @{{ just_executable() }} --justfile "{{ justfile() }}" run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
 # Rebuilds the mautrix-meta-instagram Ansible role using the mautrix-meta-messenger role as a source
 rebuild-mautrix-meta-instagram:
-    /bin/bash {{ justfile_directory() }}/bin/rebuild-mautrix-meta-instagram.sh {{ justfile_directory() }}/roles/custom
+    /bin/bash "{{ justfile_directory() }}/bin/rebuild-mautrix-meta-instagram.sh" "{{ justfile_directory() }}/roles/custom"
--- a/requirements.yml
+++ b/requirements.yml
@@ -4,34 +4,34 @@
  version: v1.0.0-5
  name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.1-1.9.14-1
+  version: v1.4.1-1.9.14-2
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.3.0-7
+  version: v0.4.1-0
  name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.4.7
+  version: 7.5.5
  name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
  version: 129c8590e106b83e6f4c259649a613c6279e937a
  name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.4.2-0
+  version: v2.5.0-3
  name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.98.1-r0-2-1
+  version: v4.98.1-r0-2-2
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.4-1
+  version: v11.6.5-1
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10431-1
+  version: v10532-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.0-5
+  version: v1.9.1-0
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.14.0-0
+  version: v2.14.0-2
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: 7663e3114513e56f28d3ed762059b445c678a71a
@@ -43,10 +43,10 @@
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v17.5-5
+  version: v17.6-7
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v17-7
+  version: v17-8
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v3.5.0-1
@@ -55,7 +55,7 @@
  version: v1.9.1-11
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.17.1-8
+  version: v0.18.1-0
  name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.4.1-0
@@ -64,10 +64,10 @@
  version: v1.0.0-4
  name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: v1.0.0-0
+  version: v1.1.0-0
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.5.0-2
+  version: v3.5.3-0
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
  version: v2.10.0-2
--- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
+++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.8.6
+matrix_alertmanager_receiver_version: 2025.9.24
 matrix_alertmanager_receiver_scheme: https
@@ -159,30 +159,20 @@ matrix_alertmanager_receiver_config_templating_external_url_mapping: {}
 #   "http://prometheus:8081": https://another.prometheus.example.com
 matrix_alertmanager_receiver_config_templating_generator_url_mapping: {}
 # Controls the `templating.computed-values` configuration setting.
 matrix_alertmanager_receiver_config_templating_computed_values: "{{ matrix_alertmanager_receiver_config_templating_computed_values_default + matrix_alertmanager_receiver_config_templating_computed_values_auto + matrix_alertmanager_receiver_config_templating_computed_values_custom }}"
 matrix_alertmanager_receiver_config_templating_computed_values_default:
  - values:  # always set 'color' to 'yellow'
      color: yellow
  - values:  # set 'color' to 'orange' when alert label 'severity' is 'warning'
      color: orange
    when-matching-labels:
      severity: warning
  - values:  # set 'color' to 'red' when alert label 'severity' is 'critical'
      color: red
    when-matching-labels:
      severity: critical
  - values:  # set 'color' to 'green' when alert status is 'resolved'
      color: green
    when-matching-status: resolved
 matrix_alertmanager_receiver_config_templating_computed_values_auto: []
 matrix_alertmanager_receiver_config_templating_computed_values_custom: []
 # Controls the `templating.firing-template` configuration setting.
 matrix_alertmanager_receiver_config_templating_firing_template: |-
  {% raw %}
  {{ $color := "yellow" }}
  {{ if eq .Alert.Labels.severity "warning" }}
  {{ $color = "orange" }}
  {{ else if eq .Alert.Labels.severity "critical" }}
  {{ $color = "red" }}
  {{ end }}
  {{ if eq .Alert.Status "resolved" }}
  {{ $color = "green" }}
  {{ end }}
  <p>
-    <strong><font color="{{ .ComputedValues.color }}">{{ .Alert.Status | ToUpper }}</font></strong>
+    <strong><font color="{{ $color }}">{{ .Alert.Status | ToUpper }}</font></strong>
    {{ if .Alert.Labels.name }}
      {{ .Alert.Labels.name }}
    {{ else if .Alert.Labels.alertname }}
@@ -211,7 +201,7 @@ matrix_alertmanager_receiver_config_templating_firing_template: |-
 # Controls the `templating.resolved-template` configuration setting.
 matrix_alertmanager_receiver_config_templating_resolved_template: |-
  {% raw %}
-  <strong><font color="{{ .ComputedValues.color }}">{{ .Alert.Status | ToUpper }}</font></strong>
+  <strong><font color="green">{{ .Alert.Status | ToUpper }}</font></strong>
  {{ if .Alert.Labels.name }}
    {{ .Alert.Labels.name }}
  {{ else if .Alert.Labels.alertname }}
--- a/roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml
+++ b/roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml
@@ -24,3 +24,6 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_alertmanager_receiver_container_image_name_prefix', 'new': 'matrix_alertmanager_receiver_container_image_registry_prefix'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_auto', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_custom', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
--- a/roles/custom/matrix-alertmanager-receiver/templates/config.yaml.j2
+++ b/roles/custom/matrix-alertmanager-receiver/templates/config.yaml.j2
@@ -26,10 +26,6 @@ templating:
  # value is the mapped value which will be available as '.GeneratorURL' in templates
  generator-url-mapping: {{ matrix_alertmanager_receiver_config_templating_generator_url_mapping | to_json }}
  # computation of arbitrary values based on matching alert annotations, labels, or status
  # values will be evaluated top to bottom, last entry wins
  computed-values: {{ matrix_alertmanager_receiver_config_templating_computed_values | to_json }}
  # template for alerts in status 'firing'
  firing-template: {{ matrix_alertmanager_receiver_config_templating_firing_template | to_json }}
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.6.0"
+matrix_appservice_draupnir_for_all_version: "v2.6.1"
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
--- a/roles/custom/matrix-authentication-service/defaults/main.yml
+++ b/roles/custom/matrix-authentication-service/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.0.0
+matrix_authentication_service_version: 1.3.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@@ -161,7 +161,7 @@ matrix_federation_traefik_entrypoint_tls: true
 # Recognized values by us are 'amd64', 'arm32' and 'arm64'.
 # Not all architectures support all services, so your experience (on non-amd64) may vary.
 # See docs/alternative-architectures.md
-matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
+matrix_architecture: "{{ 'amd64' if ansible_facts.architecture == 'x86_64' else ('arm64' if ansible_facts.architecture == 'aarch64' else ('arm32' if ansible_facts.architecture.startswith('armv') else '')) }}"
 # The architecture for Debian packages.
 # See: https://wiki.debian.org/SupportedArchitectures
--- a/roles/custom/matrix-base/tasks/ensure_fuse_installed.yml
+++ b/roles/custom/matrix-base/tasks/ensure_fuse_installed.yml
@@ -6,11 +6,11 @@
 # This is for both RedHat 7 and 8
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_redhat.yml"
-  when: ansible_os_family == 'RedHat'
+  when: ansible_facts.os_family == 'RedHat'
 # This is for both Debian and Raspbian
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_debian.yml"
-  when: ansible_os_family == 'Debian'
+  when: ansible_facts.os_family == 'Debian'
 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ensure_fuse_installed_archlinux.yml"
-  when: ansible_os_family == 'Archlinux'
+  when: ansible_facts.os_family == 'Archlinux'
--- a/roles/custom/matrix-base/tasks/validate_config.yml
+++ b/roles/custom/matrix-base/tasks/validate_config.yml
@@ -31,6 +31,8 @@
    - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
    - {'old': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required', 'new': '<removed; see https://github.com/element-hq/element-web/pull/30702 and https://github.com/element-hq/element-web/pull/30681>'}
    - {'old': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods', 'new': '<removed; see https://github.com/element-hq/element-web/pull/30702 and https://github.com/element-hq/element-web/pull/30681>'}
    - {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
    - {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
    - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
@@ -64,7 +66,7 @@
 - name: Fail if matrix_architecture is set incorrectly
  ansible.builtin.fail:
-    msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}."
+    msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_facts.architecture }}."
  when: matrix_architecture not in ['amd64', 'arm32', 'arm64']
 - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly
--- a/roles/custom/matrix-bot-baibot/defaults/main.yml
+++ b/roles/custom/matrix-bot-baibot/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.7.6
+matrix_bot_baibot_version: v1.8.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.6.0"
+matrix_bot_draupnir_version: "v2.6.1"
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -30,7 +30,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.28
+matrix_bot_honoroit_version: v0.9.29
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_docker_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_docker_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
@@ -43,6 +43,9 @@ matrix_bot_matrix_registration_bot_matrix_user_id: '@{{ matrix_bot_matrix_regist
 # The bot's password (can also be used to login via a client like Element Web)
 matrix_bot_matrix_registration_bot_bot_password: ''
 # Optional bot command prefix
 matrix_bot_matrix_registration_bot_bot_prefix: ""
 # Homeserver base URL
 matrix_bot_matrix_registration_bot_api_base_url: "{{ matrix_homeserver_url }}"
--- a/roles/custom/matrix-bot-matrix-registration-bot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/config.yaml.j2
@@ -10,6 +10,7 @@ bot:
  server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }}
  username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }}
  password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }}
  prefix: {{ matrix_bot_matrix_registration_bot_bot_prefix|to_json }}
 api:
  # API endpoint of the registration tokens
--- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_bot_matrix_reminder_bot_docker_repo_version: "{{ 'master' if matrix_bot_m
 matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src"
 # renovate: datasource=docker depName=ghcr.io/anoadragon453/matrix-reminder-bot
-matrix_bot_matrix_reminder_bot_version: v0.3.0
+matrix_bot_matrix_reminder_bot_version: v0.4.0
 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_bot_matrix_reminder_bot_docker_image_registry_prefix }}anoadragon453/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_matrix_reminder_bot_container_image_self_build else matrix_bot_matrix_reminder_bot_docker_image_registry_prefix_upstream }}"
 matrix_bot_matrix_reminder_bot_docker_image_registry_prefix_upstream: "{{ matrix_bot_matrix_reminder_bot_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
@@ -57,6 +57,9 @@ matrix_appservice_kakaotalk_command_prefix: "!kt"
 matrix_appservice_kakaotalk_homeserver_address: ""
 matrix_appservice_kakaotalk_homeserver_domain: '{{ matrix_domain }}'
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_appservice_kakaotalk_homeserver_async_media: false
 matrix_appservice_kakaotalk_appservice_address: 'http://matrix-appservice-kakaotalk:11115'
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2
@@ -21,7 +21,7 @@ homeserver:
    message_send_checkpoint_endpoint: null
    # Whether asynchronous uploads via MSC2246 should be enabled for media.
    # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_appservice_kakaotalk_homeserver_async_media | to_json }}
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@@ -37,6 +37,9 @@ matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_pa
 matrix_beeper_linkedin_homeserver_address: ""
 matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}"
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_beeper_linkedin_homeserver_async_media: false
 matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319"
 matrix_beeper_linkedin_bridge_presence: true
--- a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
@@ -21,7 +21,7 @@ homeserver:
    message_send_checkpoint_endpoint: null
    # Whether asynchronous uploads via MSC2246 should be enabled for media.
    # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_beeper_linkedin_homeserver_async_media | to_json }}
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 7.0.0
+matrix_hookshot_version: 7.1.0
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -181,6 +181,9 @@ matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hoo
 matrix_hookshot_generic_userIdPrefix: '_webhooks_'  # noqa var-naming
 matrix_hookshot_generic_allowJsTransformationFunctions: false  # noqa var-naming
 matrix_hookshot_generic_waitForComplete: false  # noqa var-naming
 matrix_hookshot_generic_sendExpiryNotice: false  # noqa var-naming
 matrix_hookshot_generic_requireExpiryTime: false  # noqa var-naming
 matrix_hookshot_generic_maxExpiryTime: "30d"  # noqa var-naming
 matrix_hookshot_feeds_enabled: true
--- a/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
@@ -80,6 +80,9 @@ generic:
  userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }}
  allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }}
  waitForComplete: {{ matrix_hookshot_generic_waitForComplete | to_json }}
  sendExpiryNotice: {{ matrix_hookshot_generic_sendExpiryNotice | to_json }}
  requireExpiryTime: {{ matrix_hookshot_generic_requireExpiryTime | to_json }}
  maxExpiryTime: {{ matrix_hookshot_generic_maxExpiryTime | to_json }}
 {% endif %}
 {% if matrix_hookshot_feeds_enabled %}
 feeds:
--- a/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml
@@ -28,6 +28,9 @@ matrix_mautrix_bluesky_data_path: "{{ matrix_mautrix_bluesky_base_path }}/data"
 matrix_mautrix_bluesky_docker_src_files_path: "{{ matrix_mautrix_bluesky_base_path }}/docker-src"
 matrix_mautrix_bluesky_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_bluesky_homeserver_async_media: false
 matrix_mautrix_bluesky_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_bluesky_appservice_address: 'http://matrix-mautrix-bluesky:29340'
--- a/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2
@@ -164,7 +164,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_bluesky_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@@ -36,6 +36,9 @@ matrix_mautrix_discord_data_path: "{{ matrix_mautrix_discord_base_path }}/data"
 matrix_mautrix_discord_docker_src_files_path: "{{ matrix_mautrix_discord_base_path }}/docker-src"
 matrix_mautrix_discord_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_discord_homeserver_async_media: false
 matrix_mautrix_discord_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_discord_appservice_address: "http://matrix-mautrix-discord:8080"
--- a/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2
@@ -16,7 +16,7 @@ homeserver:
    # Endpoint for reporting per-message status.
    message_send_checkpoint_endpoint: null
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_discord_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -37,6 +37,9 @@ matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_
 matrix_mautrix_facebook_command_prefix: "!fb"
 matrix_mautrix_facebook_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_facebook_homeserver_async_media: false
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
 # Whether or not the public-facing endpoints should be enabled (web-based login)
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@@ -14,7 +14,7 @@ homeserver:
    asmux: false
    # Whether asynchronous uploads via MSC2246 should be enabled for media.
    # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_mautrix_facebook_homeserver_async_media | to_json }}
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.6.4
+matrix_mautrix_gmessages_version: v0.7.0
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
@@ -33,6 +33,9 @@ matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/da
 matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src"
 matrix_mautrix_gmessages_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_gmessages_homeserver_async_media: false
 matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
--- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
@@ -168,7 +168,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_gmessages_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2
@@ -31,7 +31,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_gmessages_docker_image }} \
-			/usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml
+			/usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml --no-update
 {% for network in matrix_mautrix_gmessages_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-gmessages
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.5.2
+matrix_mautrix_meta_instagram_version: v0.5.3
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
@@ -116,6 +116,9 @@ matrix_mautrix_meta_instagram_database_sslmode: disable
 matrix_mautrix_meta_instagram_database_connection_string: 'postgres://{{ matrix_mautrix_meta_instagram_database_username }}:{{ matrix_mautrix_meta_instagram_database_password }}@{{ matrix_mautrix_meta_instagram_database_hostname }}:{{ matrix_mautrix_meta_instagram_database_port }}/{{ matrix_mautrix_meta_instagram_database_name }}?sslmode={{ matrix_mautrix_meta_instagram_database_sslmode }}'
 matrix_mautrix_meta_instagram_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_meta_instagram_homeserver_async_media: false
 matrix_mautrix_meta_instagram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_meta_instagram_homeserver_token: ''
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2
@@ -181,7 +181,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_meta_instagram_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.5.2
+matrix_mautrix_meta_messenger_version: v0.5.3
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
@@ -117,6 +117,9 @@ matrix_mautrix_meta_messenger_database_connection_string: 'postgres://{{ matrix_
 matrix_mautrix_meta_messenger_homeserver_address: ""
 matrix_mautrix_meta_messenger_homeserver_domain: '{{ matrix_domain }}'
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_meta_messenger_homeserver_async_media: false
 matrix_mautrix_meta_messenger_homeserver_token: ''
 matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta_messenger_identifier }}:29319"
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
@@ -181,7 +181,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_meta_messenger_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.8.5
+matrix_mautrix_signal_version: v0.8.7
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -42,6 +42,9 @@ matrix_mautrix_signal_docker_src_files_path: "{{ matrix_mautrix_signal_base_path
 matrix_mautrix_signal_homeserver_address: ""
 matrix_mautrix_signal_homeserver_domain: "{{ matrix_domain }}"
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_signal_homeserver_async_media: false
 matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@@ -159,7 +159,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint: null
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_signal_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2.2
+matrix_mautrix_slack_version: v0.2.3
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"
@@ -32,6 +32,9 @@ matrix_mautrix_slack_docker_src_files_path: "{{ matrix_mautrix_slack_base_path }
 matrix_mautrix_slack_homeserver_address: ""
 matrix_mautrix_slack_homeserver_domain: "{{ matrix_domain }}"
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_slack_homeserver_async_media: false
 matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080"
 matrix_mautrix_slack_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
--- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
@@ -197,7 +197,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_slack_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -79,6 +79,9 @@ matrix_mautrix_telegram_public_endpoint: "{{ matrix_mautrix_telegram_path_prefix
 matrix_mautrix_telegram_homeserver_address: ""
 matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}'
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_telegram_homeserver_async_media: false
 matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080'
 matrix_mautrix_telegram_appservice_public_external: '{{ matrix_mautrix_telegram_scheme }}://{{ matrix_mautrix_telegram_hostname }}{{ matrix_mautrix_telegram_public_endpoint }}'
@@ -230,12 +233,12 @@ matrix_mautrix_telegram_registration_yaml: |
  namespaces:
      users:
      - exclusive: true
-        regex: '^@telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
+        regex: '^@{{ matrix_mautrix_telegram_username_template | replace('{userid}', '.+') }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
      - exclusive: true
        regex: '^@{{ matrix_mautrix_telegram_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
      aliases:
      - exclusive: true
-        regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
+        regex: '^#{{ matrix_mautrix_telegram_alias_template | replace('{groupname}', '.+') }}:{{ matrix_mautrix_telegram_homeserver_domain | regex_escape }}$'
  # See https://github.com/mautrix/signal/issues/43
  sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
  url: {{ matrix_mautrix_telegram_appservice_address }}
--- a/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
@@ -21,7 +21,7 @@ homeserver:
    message_send_checkpoint_endpoint: null
    # Whether asynchronous uploads via MSC2246 should be enabled for media.
    # Requires a media repo that supports MSC2246.
-    async_media: false
+    async_media: {{ matrix_mautrix_telegram_homeserver_async_media | to_json }}
 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.4.3
+matrix_mautrix_twitter_version: v0.5.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"
@@ -36,6 +36,9 @@ matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data"
 matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src"
 matrix_mautrix_twitter_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_twitter_homeserver_async_media: false
 matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
--- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
@@ -164,7 +164,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_twitter_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.12.3
+matrix_mautrix_whatsapp_version: v0.12.5
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
@@ -44,6 +44,9 @@ matrix_mautrix_whatsapp_docker_src_files_path: "{{ matrix_mautrix_whatsapp_base_
 matrix_mautrix_whatsapp_homeserver_address: ""
 matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_whatsapp_homeserver_async_media: false
 matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
 matrix_mautrix_whatsapp_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
@@ -16,12 +16,6 @@ network:
    proxy_only_login: false
    # Displayname template for WhatsApp users.
    # {% raw %}
    # {{.PushName}}     - nickname set by the WhatsApp user
    # {{.BusinessName}} - validated WhatsApp business name
    # {{.Phone}}        - phone number (international format)
    # {{.FullName}}     - Name you set in the contacts list
    # {% endraw %}
    displayname_template: {{ matrix_mautrix_whatsapp_network_displayname_template | to_json }}
    # Should incoming calls send a message to the Matrix room?
@@ -255,7 +249,7 @@ homeserver:
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_mautrix_whatsapp_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
@@ -31,7 +31,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_whatsapp_docker_image }} \
-			/usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml
+			/usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml --no-update
 {% for network in matrix_mautrix_whatsapp_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-whatsapp
--- a/roles/custom/matrix-bridge-steam/defaults/main.yml
+++ b/roles/custom/matrix-bridge-steam/defaults/main.yml
@@ -0,0 +1,242 @@
 # SPDX-FileCopyrightText: 2025 Jason LaGuidice
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 # matrix-steam-bridge is a Matrix <-> Steam bridge
 # See: https://github.com/jasonlaguidice/matrix-steam-bridge
 matrix_steam_bridge_enabled: true
 matrix_steam_bridge_container_image_self_build: false
 matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonlaguidice/matrix-steam-bridge.git"
 matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}"
 # renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge
 matrix_steam_bridge_version: 1.0.5
 matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}"
 matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}"
 matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}"
 matrix_steam_bridge_docker_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_steam_bridge_docker_image_tag: "{{ matrix_steam_bridge_version }}"
 matrix_steam_bridge_docker_image_force_pull: "{{ matrix_steam_bridge_docker_image.endswith(':latest') }}"
 matrix_steam_bridge_base_path: "{{ matrix_base_data_path }}/matrix-steam-bridge"
 matrix_steam_bridge_config_path: "{{ matrix_steam_bridge_base_path }}/config"
 matrix_steam_bridge_data_path: "{{ matrix_steam_bridge_base_path }}/data"
 matrix_steam_bridge_docker_src_files_path: "{{ matrix_steam_bridge_base_path }}/docker-src"
 matrix_steam_bridge_homeserver_address: ""
 matrix_steam_bridge_homeserver_domain: "{{ matrix_domain }}"
 matrix_steam_bridge_appservice_address: "http://matrix-steam-bridge:{{ matrix_steam_bridge_appservice_port }}"
 matrix_steam_bridge_appservice_port: "8080"
 matrix_steam_bridge_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 # A public address that external services can use to reach this appservice
 matrix_steam_bridge_appservice_public_address: "https://{{ matrix_server_fqn_matrix }}"
 # Public media configuration for external access to bridge media
 matrix_steam_bridge_public_media_enabled: true
 # A key for signing public media URLs. If set to "generate", a random key will be generated.
 # This will be auto-generated deterministically if matrix_homeserver_generic_secret_key is set.
 matrix_steam_bridge_public_media_signing_key: ''
 # Number of seconds that public media URLs are valid for. If set to 0, URLs will never expire.
 matrix_steam_bridge_public_media_expiry: 0
 matrix_steam_bridge_public_media_hash_length: 32
 # Displayname template for Steam users
 # {{ .DisplayName }} is replaced with the display name of the Steam user
 # {{ .Username }} is replaced with the username of the Steam user
 matrix_steam_bridge_network_displayname_template: "{% raw %}{{ .DisplayName }}{% endraw %} (Steam)"
 matrix_steam_bridge_command_prefix: "!steam"
 matrix_steam_bridge_bridge_permissions: |
  {{
    {matrix_steam_bridge_homeserver_domain: 'user'}
    | combine ({matrix_admin: 'admin'} if matrix_admin else {})
  }}
 # TODO: May need to set network for public media?
 matrix_steam_bridge_container_network: ""
 matrix_steam_bridge_container_additional_networks: "{{ matrix_steam_bridge_container_additional_networks_auto + matrix_steam_bridge_container_additional_networks_custom }}"
 matrix_steam_bridge_container_additional_networks_auto: []
 matrix_steam_bridge_container_additional_networks_custom: []
 # matrix_steam_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `matrix_steam_bridge_container_labels_additional_labels`.
 matrix_steam_bridge_container_labels_traefik_enabled: true
 matrix_steam_bridge_container_labels_traefik_docker_network: "{{ matrix_steam_bridge_container_network }}"
 matrix_steam_bridge_container_labels_traefik_entrypoints: web-secure
 matrix_steam_bridge_container_labels_traefik_tls: "{{ matrix_steam_bridge_container_labels_traefik_entrypoints != 'web' }}"
 matrix_steam_bridge_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 # Controls whether labels will be added that expose mautrix-instagram's metrics
 matrix_steam_bridge_container_labels_metrics_enabled: "{{ matrix_steam_bridge_metrics_enabled and matrix_steam_bridge_metrics_proxying_enabled }}"
 matrix_steam_bridge_container_labels_metrics_traefik_rule: "Host(`{{ matrix_steam_bridge_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_steam_bridge_metrics_proxying_path_prefix }}`)"
 matrix_steam_bridge_container_labels_metrics_traefik_priority: 0
 matrix_steam_bridge_container_labels_metrics_traefik_entrypoints: "{{ matrix_steam_bridge_container_labels_traefik_entrypoints }}"
 matrix_steam_bridge_container_labels_metrics_traefik_tls: "{{ matrix_steam_bridge_container_labels_metrics_traefik_entrypoints != 'web' }}"
 matrix_steam_bridge_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_steam_bridge_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_enabled: false
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_users: ''
 # matrix_steam_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_steam_bridge_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_steam_bridge_container_labels_additional_labels: ''
 # A list of extra arguments to pass to the container
 matrix_steam_bridge_container_extra_arguments: []
 # List of systemd services that matrix_steam_bridge.service depends on.
 matrix_steam_bridge_systemd_required_services_list: "{{ matrix_steam_bridge_systemd_required_services_list_default + matrix_steam_bridge_systemd_required_services_list_auto + matrix_steam_bridge_systemd_required_services_list_custom }}"
 matrix_steam_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_steam_bridge_systemd_required_services_list_auto: []
 matrix_steam_bridge_systemd_required_services_list_custom: []
 # List of systemd services that matrix_steam_bridge.service wants
 matrix_steam_bridge_systemd_wanted_services_list: []
 matrix_steam_bridge_appservice_token: ''
 matrix_steam_bridge_homeserver_token: ''
 # Whether or not created rooms should have federation enabled.
 # If false, created portal rooms will never be federated.
 matrix_steam_bridge_matrix_federate_rooms: false
 # Bridge configuration options
 # Should every user have their own portals rather than sharing them?
 matrix_steam_bridge_bridge_split_portals: false
 # Cleanup on logout configuration
 matrix_steam_bridge_bridge_cleanup_on_logout_enabled: false
 # Valid values for cleanup actions: nothing, kick, unbridge, delete
 #   nothing - Do nothing, let the user stay in the portals
 #   kick - Remove the user from the portal rooms, but don't delete them
 #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
 #   delete - Remove all ghosts and users from the room (i.e. delete it)
 matrix_steam_bridge_bridge_cleanup_on_logout_manual_private: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_manual_relayed: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_no_users: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_has_users: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_private: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_relayed: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_no_users: nothing
 matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_has_users: nothing
 # Homeserver configuration options
 # Does the homeserver support MSC2246 (async media uploads)?
 matrix_steam_bridge_homeserver_async_media: false
 # Database-related configuration fields.
 #
 # To use Postgres:
 # - adjust your database credentials via the `matrix_steam_bridge_postgres_*` variables
 matrix_steam_bridge_database_engine: 'postgres'
 matrix_steam_bridge_database_username: 'matrix_steam_bridge'
 matrix_steam_bridge_database_password: 'some-password'
 matrix_steam_bridge_database_hostname: ''
 matrix_steam_bridge_database_port: 5432
 matrix_steam_bridge_database_name: 'matrix_steam_bridge'
 matrix_steam_bridge_database_sslmode: disable
 matrix_steam_bridge_database_connection_string: 'postgres://{{ matrix_steam_bridge_database_username }}:{{ matrix_steam_bridge_database_password }}@{{ matrix_steam_bridge_database_hostname }}:{{ matrix_steam_bridge_database_port }}/{{ matrix_steam_bridge_database_name }}?sslmode={{ matrix_steam_bridge_database_sslmode }}'
 matrix_steam_bridge_database_uri: "{{
 	{
 		'postgres': matrix_steam_bridge_database_connection_string,
 	}[matrix_steam_bridge_database_engine]
 }}"
 matrix_steam_bridge_double_puppet_secrets: "{{ matrix_steam_bridge_double_puppet_secrets_auto | combine(matrix_steam_bridge_double_puppet_secrets_custom) }}"
 matrix_steam_bridge_double_puppet_secrets_auto: {}
 matrix_steam_bridge_double_puppet_secrets_custom: {}
 matrix_steam_bridge_appservice_bot_username: steambot
 matrix_steam_bridge_appservice_bot_displayname: Steam bridge bot
 matrix_steam_bridge_appservice_bot_avatar: mxc://shadowdrake.org/EeNKAcrmByNubPwoyceQsBaN
 matrix_steam_bridge_backfill_enabled: true
 # Maximum number of messages to backfill in empty rooms
 matrix_steam_bridge_backfill_max_initial_messages: 50
 # Maximum number of missed messages to backfill after bridge restarts
 matrix_steam_bridge_backfill_max_catchup_messages: 500
 # Shared secret for authentication of provisioning API requests.
 # If set to "disable", the provisioning API will be disabled.
 matrix_steam_bridge_provisioning_shared_secret: disable
 # Minimum severity of journal log messages.
 # Valid values: fatal, error, warn, info, debug, trace
 matrix_steam_bridge_logging_level: 'warn'
 # Whether or not metrics endpoint should be enabled.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_steam_bridge_metrics_proxying_enabled`.
 matrix_steam_bridge_metrics_enabled: false
 # Controls whether metrics should be exposed on a public URL.
 matrix_steam_bridge_metrics_proxying_enabled: false
 matrix_steam_bridge_metrics_proxying_hostname: ''
 matrix_steam_bridge_metrics_proxying_path_prefix: ''
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_steam_bridge_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_steam_bridge_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
 matrix_steam_bridge_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
  # This configuration extends the default starting configuration (`matrix_steam_bridge_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_steam_bridge_configuration_yaml`.
 matrix_steam_bridge_configuration_extension: "{{ matrix_steam_bridge_configuration_extension_yaml | from_yaml if matrix_steam_bridge_configuration_extension_yaml | from_yaml is mapping else {} }}"
 # Holds the final configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_steam_bridge_configuration_yaml`.
 matrix_steam_bridge_configuration: "{{ matrix_steam_bridge_configuration_yaml | from_yaml | combine(matrix_steam_bridge_configuration_extension, recursive=True) }}"
 matrix_steam_bridge_registration_yaml: |
  id: steam
  as_token: "{{ matrix_steam_bridge_appservice_token }}"
  hs_token: "{{ matrix_steam_bridge_homeserver_token }}"
  namespaces:
    users:
    - exclusive: true
      regex: '^@steam_.+:{{ matrix_steam_bridge_homeserver_domain | regex_escape }}$'
    - exclusive: true
      regex: '^@{{ matrix_steam_bridge_appservice_bot_username | regex_escape }}:{{ matrix_steam_bridge_homeserver_domain | regex_escape }}$'
  url: {{ matrix_steam_bridge_appservice_address }}
  sender_localpart: _bot_{{ matrix_steam_bridge_appservice_bot_username }}
  rate_limited: false
  de.sorunome.msc2409.push_ephemeral: true
  receive_ephemeral: true
  io.element.msc4190: {{ matrix_steam_bridge_msc4190_enabled | to_json }}
 matrix_steam_bridge_registration: "{{ matrix_steam_bridge_registration_yaml | from_yaml }}"
 # Enable End-to-bridge encryption
 matrix_steam_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_steam_bridge_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
 matrix_steam_bridge_bridge_encryption_require: false
 matrix_steam_bridge_bridge_encryption_appservice: false
 matrix_steam_bridge_bridge_encryption_key_sharing_allow: "{{ matrix_steam_bridge_bridge_encryption_allow }}"
 matrix_steam_bridge_bridge_encryption_pickle_key: mautrix.bridge.e2ee
--- a/roles/custom/matrix-bridge-steam/tasks/main.yml
+++ b/roles/custom/matrix-bridge-steam/tasks/main.yml
@@ -0,0 +1,24 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - tags:
    - setup-all
    - setup-matrix-steam-bridge
    - install-all
    - install-matrix-steam-bridge
  block:
    - when: matrix_steam_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_steam_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 - tags:
    - setup-all
    - setup-matrix-steam-bridge
  block:
    - when: not matrix_steam_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-steam/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-steam/tasks/setup_install.yml
@@ -0,0 +1,102 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - ansible.builtin.set_fact:
    matrix_steam_bridge_requires_restart: false
 - name: Ensure Steam bridge image is pulled
  community.docker.docker_image:
    name: "{{ matrix_steam_bridge_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_steam_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_steam_bridge_docker_image_force_pull }}"
  when: matrix_steam_bridge_enabled | bool and not matrix_steam_bridge_container_image_self_build
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure Steam bridge paths exist
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ matrix_steam_bridge_base_path }}", when: true}
    - {path: "{{ matrix_steam_bridge_config_path }}", when: true}
    - {path: "{{ matrix_steam_bridge_data_path }}", when: true}
    - {path: "{{ matrix_steam_bridge_docker_src_files_path }}", when: "{{ matrix_steam_bridge_container_image_self_build }}"}
  when: item.when | bool
 - name: Ensure Steam bridge repository is present on self-build
  ansible.builtin.git:
    repo: "{{ matrix_steam_bridge_container_image_self_build_repo }}"
    version: "{{ matrix_steam_bridge_container_image_self_build_repo_version }}"
    dest: "{{ matrix_steam_bridge_docker_src_files_path }}"
    force: "yes"
  become: true
  become_user: "{{ matrix_user_name }}"
  register: matrix_steam_bridge_git_pull_results
  when: "matrix_steam_bridge_enabled | bool and matrix_steam_bridge_container_image_self_build"
 - name: Ensure Steam bridge Docker image is built
  community.docker.docker_image:
    name: "{{ matrix_steam_bridge_docker_image }}"
    source: build
    force_source: "{{ matrix_steam_bridge_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_steam_bridge_docker_src_files_path }}"
      pull: true
  when: "matrix_steam_bridge_enabled | bool and matrix_steam_bridge_container_image_self_build | bool"
 - name: Ensure matrix-steam-bridge config.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_steam_bridge_configuration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_steam_bridge_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
 - name: Ensure matrix-steam-bridge registration.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_steam_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_steam_bridge_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
 - name: Ensure matrix-steam-bridge support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
    dest: "{{ matrix_steam_bridge_base_path }}/{{ item }}"
    mode: 0640
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - labels
 - name: Ensure matrix-steam-bridge container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ matrix_steam_bridge_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
 - name: Ensure matrix-steam-bridge.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-steam-bridge.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-steam-bridge.service"
    mode: 0644
 - name: Ensure matrix-steam-bridge.service restarted, if necessary
  ansible.builtin.service:
    name: "matrix-steam-bridge.service"
    state: restarted
    daemon_reload: true
  when: "matrix_steam_bridge_requires_restart | bool"
--- a/roles/custom/matrix-bridge-steam/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-steam/tasks/setup_uninstall.yml
@@ -0,0 +1,23 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - name: Check existence of matrix-steam-bridge service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-steam-bridge.service"
  register: matrix_steam_bridge_service_stat
 - when: matrix_steam_bridge_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-steam-bridge is stopped
      ansible.builtin.service:
        name: matrix-steam-bridge
        state: stopped
        daemon_reload: true
    - name: Ensure matrix-steam-bridge.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-steam-bridge.service"
        state: absent
--- a/roles/custom/matrix-bridge-steam/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-steam/tasks/validate_config.yml
@@ -0,0 +1,29 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 ---
 - name: Fail if required matrix_steam_bridge settings not defined
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_steam_bridge_appservice_token', when: true}
    - {'name': 'matrix_steam_bridge_homeserver_address', when: true}
    - {'name': 'matrix_steam_bridge_homeserver_token', when: true}
    - {'name': 'matrix_steam_bridge_database_hostname', when: "{{ matrix_steam_bridge_database_engine == 'postgres' }}"}
    - {'name': 'matrix_steam_bridge_container_network', when: true}
    - {'name': 'matrix_steam_bridge_metrics_proxying_hostname', when: "{{ matrix_steam_bridge_metrics_proxying_enabled }}"}
    - {'name': 'matrix_steam_bridge_metrics_proxying_path_prefix', when: "{{ matrix_steam_bridge_metrics_proxying_enabled }}"}
 # TODO: Confirm additional config isn't mandatory for public_media
 - name: (Deprecation) Catch and report renamed matrix-steam-bridge variables
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_steam_bridge_docker_image_name_prefix', 'new': 'matrix_steam_bridge_docker_image_registry_prefix'}
--- a/roles/custom/matrix-bridge-steam/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-steam/templates/config.yaml.j2
@@ -0,0 +1,450 @@
 #jinja2: lstrip_blocks: True
 # Network-specific config options
 network:
    # Proxy to use for all Steam connections.
    proxy: null
    # Alternative to proxy: an HTTP endpoint that returns the proxy URL to use for Steam connections.
    get_proxy_url: null
    # Displayname template for Steam users.
    # {% raw %}
    # {{ .DisplayName }} is replaced with the display name of the Steam user.
    # {{ .Username }} is replaced with the username of the Steam user.
    # {% endraw %}
    displayname_template: {{ matrix_steam_bridge_network_displayname_template | to_json }}
    # Maximum number of conversations to sync on startup
    conversation_sync_limit: 20
    steam_bridge_path: ./
    steam_bridge_address: localhost:50051
    steam_bridge_auto_start: true
    steam_bridge_startup_timeout: 30
 # Config options that affect the central bridge module.
 bridge:
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: {{ matrix_steam_bridge_command_prefix | to_json }}
    # Should the bridge create a space for each login containing the rooms that account is in?
    personal_filtering_spaces: true
    # Whether the bridge should set names and avatars explicitly for DM portals.
    # This is only necessary when using clients that don't support MSC4171.
    private_chat_portal_meta: true
    # Should events be handled asynchronously within portal rooms?
    # If true, events may end up being out of order, but slow events won't block other ones.
    # This is not yet safe to use.
    async_events: false
    # Should every user have their own portals rather than sharing them?
    # By default, users who are in the same group on the remote network will be
    # in the same Matrix room bridged to that group. If this is set to true,
    # every user will get their own Matrix room instead.
    split_portals: {{ matrix_steam_bridge_bridge_split_portals | to_json }}
    # Should the bridge resend `m.bridge` events to all portals on startup?
    resend_bridge_info: false
    # Should `m.bridge` events be sent without a state key?
    # By default, the bridge uses a unique key that won't conflict with other bridges.
    no_bridge_info_state_key: false
    # Should bridge connection status be sent to the management room as `m.notice` events?
    # These contain the same data that can be posted to an external HTTP server using homeserver -> status_endpoint.
    # Allowed values: none, errors, all
    bridge_status_notices: errors
    # How long after an unknown error should the bridge attempt a full reconnect?
    # Must be at least 1 minute. The bridge will add an extra ±20% jitter to this value.
    unknown_error_auto_reconnect: null
    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
    bridge_matrix_leave: false
    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
    tag_only_on_create: true
    # List of tags to allow bridging. If empty, no tags will be bridged.
    only_bridge_tags: [m.favourite, m.lowpriority]
    # Should room mute status only be synced when creating the portal?
    # Like tags, mutes can't currently be synced back to the remote network.
    mute_only_on_create: true
    # Should the bridge check the db to ensure that incoming events haven't been handled before
    deduplicate_matrix_messages: false
    # Should cross-room reply metadata be bridged?
    # Most Matrix clients don't support this and servers may reject such messages too.
    cross_room_replies: false
    # What should be done to portal rooms when a user logs out or is logged out?
    # Permitted values:
    #   nothing - Do nothing, let the user stay in the portals
    #   kick - Remove the user from the portal rooms, but don't delete them
    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
    #   delete - Remove all ghosts and users from the room (i.e. delete it)
    cleanup_on_logout:
        # Should cleanup on logout be enabled at all?
        enabled: {{ matrix_steam_bridge_bridge_cleanup_on_logout_enabled | to_json }}
        # Settings for manual logouts (explicitly initiated by the Matrix user)
        manual:
            # Action for private portals which will never be shared with other Matrix users.
            private: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_private | to_json }}
            # Action for portals with a relay user configured.
            relayed: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_relayed | to_json }}
            # Action for portals which may be shared, but don't currently have any other Matrix users.
            shared_no_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_no_users | to_json }}
            # Action for portals which have other logged-in Matrix users.
            shared_has_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_has_users | to_json }}
        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
        # Keys have the same meanings as in the manual section.
        bad_credentials:
            private: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_private | to_json }}
            relayed: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_relayed | to_json }}
            shared_no_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_no_users | to_json }}
            shared_has_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_has_users | to_json }}
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: false
        # Should only admins be allowed to set themselves as relay users?
        # If true, non-admins can only set users listed in default_relays as relays in a room.
        admin_only: true
        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
        default_relays: []
        # The formats to use when sending messages via the relaybot.
        # Available variables:
        #   .Sender.UserID - The Matrix user ID of the sender.
        #   .Sender.Displayname - The display name of the sender (if set).
        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
        #                               plus the user ID in parentheses if the displayname is not unique.
        #                               If the displayname is not set, this is just the user ID.
        #   .Message - The `formatted_body` field of the message.
        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
        #   .FileName - The name of the file being sent.
        message_formats:
            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
        # Note that you need to manually remove the displayname from message_formats above.
        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    # commands - Access to use commands in the bridge, but not login.
    #     user - Access to use the bridge with puppeting.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_steam_bridge_bridge_permissions | to_json }}
 # Config for the bridge's database.
 database:
    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
    type: postgres
    # The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri: {{ matrix_steam_bridge_database_uri | to_json }}
    # Maximum number of connections.
    max_open_conns: 5
    max_idle_conns: 2
    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
    # but https also works if they run on different machines.
    address: {{ matrix_steam_bridge_homeserver_address | to_json }}
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: {{ matrix_steam_bridge_homeserver_domain | to_json }}
    # What software is the homeserver running?
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # The URL to push real-time bridge status to.
    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint:
    # Endpoint for reporting per-message status.
    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: {{ matrix_steam_bridge_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
    # mautrix-asmux (deprecated), and hungryserv (proprietary).
    websocket: false
    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
    ping_interval_seconds: 0
 # Application service host/registration related details.
 # Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    # Like the homeserver address, a local non-https address is recommended when the bridge is on the same machine.
    # If the bridge is elsewhere, you must secure the connection yourself (e.g. with https or wireguard)
    # If you want to use https, you need to use a reverse proxy. The bridge does not have TLS support built in.
    address: {{ matrix_steam_bridge_appservice_address | to_json }}
    # A public address that external services can use to reach this appservice.
    # This is only needed for things like public media. A reverse proxy is generally necessary when using this field.
    # This value doesn't affect the registration file.
    public_address: {{ matrix_steam_bridge_appservice_public_address | to_json }}
    # The hostname and port where this appservice should listen.
    # For Docker, you generally have to change the hostname to 0.0.0.0.
    hostname: 0.0.0.0
    port: {{ matrix_steam_bridge_appservice_port }}
    # The unique ID of this appservice.
    id: steam
    # Appservice bot details.
    bot:
        # Username of the appservice bot.
        username: {{ matrix_steam_bridge_appservice_bot_username | to_json }}
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: {{ matrix_steam_bridge_appservice_bot_displayname | to_json(ensure_ascii=False) }}
        avatar: {{ matrix_steam_bridge_appservice_bot_avatar | to_json }}
    # Whether to receive ephemeral events via appservice transactions.
    ephemeral_events: true
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    # This value doesn't affect the registration file.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: {{ matrix_steam_bridge_appservice_token | to_json }}
    hs_token: {{ matrix_steam_bridge_homeserver_token | to_json }}
    # Localpart template of MXIDs for remote users.
    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the user.
    username_template: "{% raw %}steam_{{.}}{% endraw %}"
 # Config options that affect the Matrix connector of the bridge.
 matrix:
    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # Whether the bridge should send a read receipt after successfully bridging a message.
    delivery_receipts: false
    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
    sync_direct_chat_list: true
    # Whether created rooms should have federation enabled. If false, created portal rooms
    # will never be federated. Changing this option requires recreating rooms.
    federate_rooms: {{ matrix_steam_bridge_matrix_federate_rooms | to_json }}
    # The threshold as bytes after which the bridge should roundtrip uploads via the disk
    # rather than keeping the whole file in memory.
    upload_file_threshold: 5242880
 # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
 analytics:
    # API key to send with tracking requests. Tracking is disabled if this is null.
    token: null
    # Address to send tracking requests to.
    url: https://api.segment.io/v1/track
    # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
    user_id: null
 # Settings for provisioning API
 provisioning:
    # Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: {{ matrix_steam_bridge_provisioning_shared_secret | to_json }}
    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
    # This follows the same rules as double puppeting to determine which server to contact to check the token,
    # which means that by default, it only works for users on the same server as the bridge.
    allow_matrix_auth: true
    # Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false
 # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
 # These settings control whether the bridge will provide such public media access.
 # TODO: Update with public_media config once it's figured out
 public_media:
    # Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: {{ matrix_steam_bridge_public_media_enabled | to_json }}
    # A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: {{ matrix_steam_bridge_public_media_signing_key | to_json }}
    # Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: {{ matrix_steam_bridge_public_media_expiry | to_json }}
    # Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: {{ matrix_steam_bridge_public_media_hash_length | to_json }}
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
 direct_media:
    # Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: media.example.com
    # Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: ""
 # Settings for backfilling messages.
 # Note that the exact way settings are applied depends on the network connector.
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
    enabled: {{ matrix_steam_bridge_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
    max_initial_messages: {{ matrix_steam_bridge_backfill_max_initial_messages | to_json }}
    # Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: {{ matrix_steam_bridge_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: 720
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
        max_initial_messages: 50
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # Should the backfill queue be enabled?
        enabled: false
        # Number of messages to backfill in one batch.
        batch_size: 100
        # Delay between batches in seconds.
        batch_delay: 20
        # Maximum number of batches to backfill per portal.
        # If set to -1, all available messages will be backfilled.
        max_batches: -1
        # Optional network-specific overrides for max batches.
        # Interpretation of this field depends on the network connector.
        max_batches_override: {}
 # Settings for enabling double puppeting
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers: {}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets: {{ matrix_steam_bridge_double_puppet_secrets | to_json }}
 # End-to-bridge encryption support options.
 #
 # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
 encryption:
    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
    allow: {{ matrix_steam_bridge_bridge_encryption_allow | to_json }}
    # Whether to force-enable encryption in all bridged rooms.
    default: {{ matrix_steam_bridge_bridge_encryption_default | to_json }}
    # Whether to require all messages to be encrypted and drop any unencrypted messages.
    require: {{ matrix_steam_bridge_bridge_encryption_require | to_json }}
    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
    appservice: {{ matrix_steam_bridge_bridge_encryption_appservice | to_json }}
    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
    # Changing this option requires updating the appservice registration file.
    msc4190: {{ matrix_steam_bridge_msc4190_enabled | to_json }}
    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: {{ matrix_steam_bridge_bridge_encryption_key_sharing_allow | to_json }}
    # Pickle key for encrypting encryption keys in the bridge database.
    # If set to generate, a random key will be generated.
    pickle_key: {{ matrix_steam_bridge_bridge_encryption_pickle_key | to_json }}
    # Options for deleting megolm sessions from the bridge.
    delete_keys:
        # Beeper-specific: delete outbound sessions when hungryserv confirms
        # that the user has uploaded the key to key backup.
        delete_outbound_on_ack: false
        # Don't store outbound sessions in the inbound table.
        dont_store_outbound: false
        # Ratchet megolm sessions forward after decrypting messages.
        ratchet_on_decrypt: false
        # Delete fully used keys (index >= max_messages) after decrypting messages.
        delete_fully_used_on_decrypt: false
        # Delete previous megolm sessions from same device when receiving a new one.
        delete_prev_on_new_session: false
        # Delete megolm sessions received from a device when the device is deleted.
        delete_on_device_delete: false
        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
        periodically_delete_expired: false
        # Delete inbound megolm sessions that don't have the received_at field used for
        # automatic ratcheting and expired session deletion. This is meant as a migration
        # to delete old keys prior to the bridge update.
        delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
    # Valid levels:
    #   unverified - Send keys to all device in the room.
    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
    #                           Note that creating user signatures from the bridge bot is not currently possible.
    #   verified - Require manual per-device verification
    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
    verification_levels:
        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
        receive: unverified
        # Minimum level that the bridge should accept for incoming Matrix messages.
        send: unverified
        # Minimum level that the bridge should require for accepting key requests.
        share: cross-signed-tofu
    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
    rotation:
        # Enable custom Megolm room key rotation settings. Note that these
        # settings will only apply to rooms created after this option is set.
        enable_custom: false
        # The maximum number of milliseconds a session should be used
        # before changing it. The Matrix spec recommends 604800000 (a week)
        # as the default.
        milliseconds: 604800000
        # The maximum number of messages that should be sent with a given a
        # session before changing it. The Matrix spec recommends 100 as the
        # default.
        messages: 100
        # Disable rotating keys when a user's devices change?
        # You should not enable this option unless you understand all the implications.
        disable_device_change_key_rotation: false
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
    min_level: {{ matrix_steam_bridge_logging_level | to_json }}
    writers:
        - type: stdout
          format: pretty-colored
--- a/roles/custom/matrix-bridge-steam/templates/config.yaml.j2.license
+++ b/roles/custom/matrix-bridge-steam/templates/config.yaml.j2.license
@@ -0,0 +1,3 @@
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-steam/templates/labels.j2
+++ b/roles/custom/matrix-bridge-steam/templates/labels.j2
@@ -0,0 +1,78 @@
 {#
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% if matrix_steam_bridge_container_labels_traefik_enabled %}
 traefik.enable=true
 {% if matrix_steam_bridge_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_steam_bridge_container_labels_traefik_docker_network }}
 {% endif %}
 traefik.http.services.matrix-steam-bridge.loadbalancer.server.port={{ matrix_steam_bridge_appservice_port }}
 traefik.http.services.matrix-steam-bridge-metrics.loadbalancer.server.port=8000
 {% if matrix_steam_bridge_container_labels_metrics_enabled %}
 ############################################################
 #                                                          #
 # Metrics                                                  #
 #                                                          #
 ############################################################
 {% if matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_enabled %}
 traefik.http.middlewares.matrix-steam-bridge-metrics-basic-auth.basicauth.users={{ matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_users }}
 traefik.http.routers.matrix-steam-bridge-metrics.middlewares=matrix-steam-bridge-metrics-basic-auth
 {% endif %}
 traefik.http.routers.matrix-steam-bridge-metrics.rule={{ matrix_steam_bridge_container_labels_metrics_traefik_rule }}
 {% if matrix_steam_bridge_container_labels_metrics_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-steam-bridge-metrics.priority={{ matrix_steam_bridge_container_labels_metrics_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-steam-bridge-metrics.service=matrix-steam-bridge-metrics
 traefik.http.routers.matrix-steam-bridge-metrics.entrypoints={{ matrix_steam_bridge_container_labels_metrics_traefik_entrypoints }}
 traefik.http.routers.matrix-steam-bridge-metrics.tls={{ matrix_steam_bridge_container_labels_metrics_traefik_tls | to_json }}
 {% if matrix_steam_bridge_container_labels_metrics_traefik_tls %}
 traefik.http.routers.matrix-steam-bridge-metrics.tls.certResolver={{ matrix_steam_bridge_container_labels_metrics_traefik_tls_certResolver }}
 {% endif %}
 ############################################################
 #                                                          #
 # /Metrics                                                 #
 #                                                          #
 ############################################################
 {% endif %}
 {% if matrix_steam_bridge_public_media_enabled %}
 ############################################################
 #                                                          #
 # Public Media                                             #
 #                                                          #
 ############################################################
 # Router for public media
 traefik.http.routers.matrix-steam-bridge-public-media.rule=Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`/_mautrix/publicmedia/{{ matrix_domain }}/`)
 traefik.http.routers.matrix-steam-bridge-public-media.service=matrix-steam-bridge
 traefik.http.routers.matrix-steam-bridge-public-media.entrypoints={{ matrix_steam_bridge_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-steam-bridge-public-media.tls={{ matrix_steam_bridge_container_labels_traefik_tls | to_json }}
 {% if matrix_steam_bridge_container_labels_traefik_tls %}
 traefik.http.routers.matrix-steam-bridge-public-media.tls.certResolver={{ matrix_steam_bridge_container_labels_traefik_tls_certResolver }}
 {% endif %}
 ############################################################
 #                                                          #
 # /Public Media                                            #
 #                                                          #
 ############################################################
 {% endif %}
 {% endif %}
 {{ matrix_steam_bridge_container_labels_additional_labels }}
--- a/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2
+++ b/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2
@@ -0,0 +1,48 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix Steam bridge
 {% for service in matrix_steam_bridge_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_steam_bridge_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-steam-bridge 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-steam-bridge 2>/dev/null || true'
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-steam-bridge \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_steam_bridge_container_network }} \
 			--mount type=bind,src={{ matrix_steam_bridge_config_path }},dst=/app/config,ro \
 			--mount type=bind,src={{ matrix_steam_bridge_data_path }},dst=/app/data \
 			--label-file={{ matrix_steam_bridge_base_path }}/labels \
 			{% for arg in matrix_steam_bridge_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_steam_bridge_docker_image }} \
 			/usr/bin/steam -c /app/config/config.yaml -r /app/config/registration.yaml --no-update
 {% for network in matrix_steam_bridge_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-steam-bridge
 {% endfor %}
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-steam-bridge
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-steam-bridge 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-steam-bridge 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-steam-bridge
 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2.license
+++ b/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2.license
@@ -0,0 +1,3 @@
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-wechat/defaults/main.yml
+++ b/roles/custom/matrix-bridge-wechat/defaults/main.yml
@@ -47,6 +47,9 @@ matrix_wechat_agent_container_src_files_path: "{{ matrix_wechat_base_path }}/age
 matrix_wechat_homeserver_address: ""
 matrix_wechat_homeserver_domain: "{{ matrix_domain }}"
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_wechat_homeserver_async_media: false
 matrix_wechat_appservice_address: 'http://matrix-wechat:8080'
 matrix_wechat_container_network: ""
--- a/roles/custom/matrix-bridge-wechat/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-wechat/templates/config.yaml.j2
@@ -16,7 +16,7 @@ homeserver:
    # Endpoint for reporting per-message status.
    message_send_checkpoint_endpoint: null
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_wechat_homeserver_async_media | to_json }}
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
--- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml
+++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.38.0
+matrix_cactus_comments_client_version: 2.38.1
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-client-cinny/defaults/main.yml
+++ b/roles/custom/matrix-client-cinny/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 # renovate: datasource=docker depName=ajbura/cinny
-matrix_client_cinny_version: v4.9.0
+matrix_client_cinny_version: v4.10.1
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}"
 matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.109
+matrix_client_element_version: v1.12.0
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
@@ -186,6 +186,7 @@ matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_client_element_integrations_widgets_urls: ["https://scalar.vector.im/api"]
 matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_client_element_permalink_prefix: "https://matrix.to"  # noqa var-naming
 matrix_client_element_mobile_guide_app_variant: "element"
 matrix_client_element_bug_report_endpoint_url: "https://element.io/bugreports/submit"
 matrix_client_element_show_lab_settings: true  # noqa var-naming
 # Element public room directory server(s)
--- a/roles/custom/matrix-client-element/templates/config.json.j2
+++ b/roles/custom/matrix-client-element/templates/config.json.j2
@@ -11,6 +11,7 @@
 	"setting_defaults": {
 		"custom_themes": {{ matrix_client_element_setting_defaults_custom_themes | to_json }}
 	},
 	"mobile_guide_app_variant": {{ matrix_client_element_mobile_guide_app_variant | string | to_json }},
 	"default_theme": {{ matrix_client_element_default_theme | string | to_json }},
 	"default_country_code": {{ matrix_client_element_default_country_code | string | to_json }},
 	"permalink_prefix": {{ matrix_client_element_permalink_prefix | string | to_json }},
--- a/roles/custom/matrix-client-fluffychat/defaults/main.yml
+++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.0.0
+matrix_client_fluffychat_version: v2.1.1
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-client-schildichat/defaults/main.yml
+++ b/roles/custom/matrix-client-schildichat/defaults/main.yml
@@ -19,7 +19,7 @@ matrix_client_schildichat_container_image_self_build_version: "{{ 'lite' if matr
 matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 # renovate: datasource=docker depName=ghcr.io/etkecc/schildichat-web
-matrix_client_schildichat_version: 1.11.103-sc.0.test.0
+matrix_client_schildichat_version: 1.11.109-sc.0.test.0
 matrix_client_schildichat_docker_image: "{{ matrix_client_schildichat_docker_image_registry_prefix }}etkecc/schildichat-web:{{ matrix_client_schildichat_version }}"
 matrix_client_schildichat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_schildichat_container_image_self_build else matrix_client_schildichat_docker_image_registry_prefix_upstream }}"
 matrix_client_schildichat_docker_image_registry_prefix_upstream: "{{ matrix_client_schildichat_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-conduit/defaults/main.yml
+++ b/roles/custom/matrix-conduit/defaults/main.yml
@@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg
 matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}"
 matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixconduit/matrix-conduit
-matrix_conduit_docker_image_tag: "v0.10.8"
+matrix_conduit_docker_image_tag: "v0.10.9"
 matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}"
 matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit"
--- a/roles/custom/matrix-corporal/defaults/main.yml
+++ b/roles/custom/matrix-corporal/defaults/main.yml
@@ -16,7 +16,7 @@
 matrix_corporal_enabled: true
 # renovate: datasource=docker depName=ghcr.io/devture/matrix-corporal
-matrix_corporal_version: 3.1.4
+matrix_corporal_version: 3.1.7
 matrix_corporal_container_image_self_build: false
 matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_dendrite_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dendrit
 matrix_dendrite_docker_image_registry_prefix_upstream: "{{ matrix_dendrite_docker_image_registry_prefix_upstream_default }}"
 matrix_dendrite_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith
-matrix_dendrite_docker_image_tag: "v0.15.1"
+matrix_dendrite_docker_image_tag: "v0.15.2"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
--- a/roles/custom/matrix-element-call/defaults/main.yml
+++ b/roles/custom/matrix-element-call/defaults/main.yml
@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.14.1
+matrix_element_call_version: v0.16.0
 matrix_element_call_scheme: https
--- a/roles/custom/matrix-rageshake/defaults/main.yml
+++ b/roles/custom/matrix-rageshake/defaults/main.yml
@@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: /
 # There are no stable container image tags yet.
 # See: https://github.com/matrix-org/rageshake/issues/69
 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake
-matrix_rageshake_version: 1.16.2
+matrix_rageshake_version: 1.16.3
 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake"
 matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config"
--- a/roles/custom/matrix-static-files/defaults/main.yml
+++ b/roles/custom/matrix-static-files/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.38.0
+matrix_static_files_version: 2.38.1
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"
@@ -172,10 +172,9 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: ""
 # Controls whether Element related entries (io.element.e2ee) should be added to the client well-known.
 # By default if any of the following change from their default this would be set to true:
-# `matrix_static_files_file_matrix_client_property_io_element_e2ee_default`
+# - `matrix_static_files_file_matrix_client_property_io_element_e2ee_default`
-# `matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required`
+# - `matrix_static_files_file_matrix_client_property_io_element_e2ee_force_disable`
-# `matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods`
+matrix_static_files_file_matrix_client_property_io_element_e2ee_entries_enabled: "{{ not matrix_static_files_file_matrix_client_property_io_element_e2ee_default or matrix_static_files_file_matrix_client_property_io_element_e2ee_force_disable }}"
 matrix_static_files_file_matrix_client_property_io_element_e2ee_entries_enabled: "{{ not matrix_static_files_file_matrix_client_property_io_element_e2ee_default or matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required or matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
 # Controls the io.element.e2ee/default property in the /.well-known/matrix/client file,
 # which instructs Element clients whether they should use End-to-End Encryption by default.
@@ -183,19 +182,6 @@ matrix_static_files_file_matrix_client_property_io_element_e2ee_entries_enabled:
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_static_files_file_matrix_client_property_io_element_e2ee_default: true
 # Controls the io.element.e2ee/secure_backup_required property in the /.well-known/matrix/client file,
 # which instructs Element clients whether they should require a secure backup set up before they can be used.
 # Setting this to true will update `/.well-known/matrix/client` and tell Element clients require a secure backup.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required: false
 # Controls the io.element.e2ee/secure_backup_setup_methods property in the /.well-known/matrix/client file,
 # which instructs Element clients which backup methods from ["key", "passphrase"] should be used.
 # When an empty list is provided, Element clients default to using both.
 # Setting this to other than empty will update `/.well-known/matrix/client` and tell Element clients which method to use.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods: []
 # Controls the io.element.e2ee/force_disable property in the /.well-known/matrix/client file,
 # which can be set to `true` to instruct Element clients whether to disable End-to-End Encryption by default
 # and to not show encryption related-settings in room settings.
--- a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2
+++ b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2
@@ -44,8 +44,6 @@
 	{% if matrix_static_files_file_matrix_client_property_io_element_e2ee_entries_enabled %},
 	"io.element.e2ee": {
 		"default": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_default|to_json }},
 		"secure_backup_required": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required|to_json }},
 		"secure_backup_setup_methods": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods|to_json }},
 		"force_disable": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_force_disable|to_json }}
 	}
 	{% endif %}
--- a/roles/custom/matrix-synapse-admin/defaults/main.yml
+++ b/roles/custom/matrix-synapse-admin/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke45
+matrix_synapse_admin_version: v0.11.1-etke47
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"
@@ -166,6 +166,8 @@ matrix_synapse_admin_path_prefix: /synapse-admin
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 matrix_synapse_admin_configuration_default:
  restrictBaseUrl: "{{ matrix_synapse_admin_config_restrictBaseUrl }}"
  externalAuthProvider: "{{ matrix_synapse_admin_config_externalAuthProvider }}"
  corsCredentials: "{{ matrix_synapse_admin_config_corsCredentials }}"
  asManagedUsers: "{{ matrix_synapse_admin_config_asManagedUsers }}"
  menu: "{{ matrix_synapse_admin_config_menu }}"
@@ -197,7 +199,16 @@ matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_defau
 # Controls the restrictBaseUrl configuration setting, which, if defined,
 # restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
-matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}"  # noqa var-naming
+matrix_synapse_admin_config_restrictBaseUrl: "{{ matrix_homeserver_url }}"  # noqa var-naming
 # Controls the externalAuthProvider configuration setting, which, if defined,
 # enables a special compatibility mode that works better for external auth providers like LDAP, MAS, etc.
 matrix_synapse_admin_config_externalAuthProvider: false  # noqa var-naming
 # Controls the corsCredentials configuration setting, which, if defined,
 # allows including credentials (cookies, authorization headers, or TLS client certificates) in requests
 # ref: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials
 matrix_synapse_admin_config_corsCredentials: "same-origin"  # noqa var-naming
 # Controls the menu configuration setting, which, if defined, adds new menu items to the Synapse Admin UI.
 # The format is a list of objects, where each object has the following keys:
--- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
+++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml
@@ -12,8 +12,8 @@
 matrix_synapse_auto_compressor_enabled: true
-# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/rust-synapse-compress-state
+# renovate: datasource=docker depName=registry.gitlab.com/mb-saces/rust-synapse-tools
-matrix_synapse_auto_compressor_version: v0.1.4
+matrix_synapse_auto_compressor_version: v0.0.3
 # note: UID/GID better to match the UID/GID of the Postgres container, but it doesn't really matter, as volumes are not used here
 matrix_synapse_auto_compressor_uid: ''
@@ -29,7 +29,7 @@ matrix_synapse_auto_compressor_container_image_self_build: false
 matrix_synapse_auto_compressor_container_image_self_build_repo: "https://github.com/matrix-org/rust-synapse-compress-state.git"
 matrix_synapse_auto_compressor_container_image_self_build_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}"
-matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_registry_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}"
+matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_registry_prefix }}mb-saces/rust-synapse-tools:{{ matrix_synapse_auto_compressor_version }}"
 matrix_synapse_auto_compressor_container_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else matrix_synapse_auto_compressor_container_image_registry_prefix_upstream }}"
 matrix_synapse_auto_compressor_container_image_registry_prefix_upstream: "{{ matrix_synapse_auto_compressor_container_image_registry_prefix_upstream_default }}"
 matrix_synapse_auto_compressor_container_image_registry_prefix_upstream_default: "registry.gitlab.com/"
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.136.0
+matrix_synapse_version: v1.138.2
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -135,10 +135,22 @@ matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_stor
 matrix_synapse_container_client_api_port: 8008
 # Controls the `x_forwarded` setting for the "Insecure HTTP listener (Client API)".
 # We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
 matrix_synapse_container_client_api_x_forwarded: true
 matrix_synapse_container_federation_api_tls_port: 8448
 # Controls the `x_forwarded` setting for the "TLS-enabled federation listener".
 # We default this to `false`, because TLS-enabled listeners are likely to be exposed directly (instead of being behind a reverse-proxy).
 matrix_synapse_container_federation_api_tls_x_forwarded: false
 matrix_synapse_container_federation_api_plain_port: 8048
 # Controls the `x_forwarded` setting for the "Insecure federation listener".
 # We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
 matrix_synapse_container_federation_api_plain_x_forwarded: true
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_synapse_container_network: ''
@@ -374,6 +386,10 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
 matrix_synapse_allow_guest_access: false
 matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 # Controls how to reach server admin, used in ResouceLimitError
 matrix_synapse_admin_contact: ~
 matrix_synapse_max_upload_size_mb: 50
 # Controls whether local media should be removed under certain conditions, typically for the purpose of saving space.
@@ -561,6 +577,7 @@ matrix_synapse_include_profile_data_on_invite: true
 # User search behaviour
 matrix_synapse_user_directory_search_all_users: false
 matrix_synapse_user_directory_prefer_local_users: false
 matrix_synapse_user_directory_exclude_remote_users: false
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false
@@ -833,6 +850,10 @@ matrix_synapse_manhole_enabled: false
 # Enable support for Synapse workers
 matrix_synapse_workers_enabled: false
 # Controls the `x_forwarded` setting for the main `http` listener for Synapse workers.
 # We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
 matrix_synapse_worker_listeners_http_main_x_forwarded: true
 # Specifies worker configuration that should be used when workers are enabled.
 #
 # The possible values (as seen in `matrix_synapse_workers_presets`) are:
@@ -1597,7 +1618,9 @@ matrix_synapse_forgotten_room_retention_period: 28d
 matrix_synapse_user_ips_max_age: 28d
-matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix }}mb-saces/rust-synapse-tools:v0.0.1"
+matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix }}mb-saces/rust-synapse-tools:{{ matrix_synapse_rust_synapse_compress_state_docker_image_version }}"
 # renovate: datasource=docker depName=registry.gitlab.com/mb-saces/rust-synapse-tools
 matrix_synapse_rust_synapse_compress_state_docker_image_version: v0.0.3
 matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream }}"
 matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream_default }}"
 matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream_default: "registry.gitlab.com/"
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -298,7 +298,7 @@ listeners:
    tls: true
    bind_addresses: ['::']
    type: http
-    x_forwarded: false
+    x_forwarded: {{ matrix_synapse_container_federation_api_tls_x_forwarded | to_json }}
    resources:
      - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
@@ -311,7 +311,7 @@ listeners:
    tls: false
    bind_addresses: ['::']
    type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_client_api_x_forwarded | to_json }}
    resources:
      - names: {{ matrix_synapse_http_listener_resource_names|to_json }}
@@ -324,7 +324,7 @@ listeners:
    tls: false
    bind_addresses: ['::']
    type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_federation_api_plain_x_forwarded | to_json }}
    resources:
      - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
@@ -391,7 +391,7 @@ manhole_settings:
 # How to reach the server admin, used in ResourceLimitError
 #
-#admin_contact: 'mailto:admin@example.com'
+admin_contact: {{ matrix_synapse_admin_contact | to_json }}
 # Global blocking
 #
@@ -2646,6 +2646,9 @@ user_directory:
    #
    prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }}
    # If set to true, the search will only return local users. Defaults to false.
    exclude_remote_users: {{ matrix_synapse_user_directory_exclude_remote_users | to_json }}
 # User Consent configuration
 #
--- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
@@ -46,7 +46,7 @@ worker_listeners:
 {% if http_resources|length > 0 %}
  - type: http
    bind_addresses: ['::']
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_worker_listeners_http_main_x_forwarded | to_json }}
    port: {{ matrix_synapse_worker_details.port }}
    resources:
      - names: {{ http_resources|to_json }}
--- a/roles/custom/matrix_playbook_migration/tasks/main.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/main.yml
@@ -10,7 +10,7 @@
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: ansible_os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_debian_signedby_migration_enabled | bool
+- when: ansible_facts.os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_debian_signedby_migration_enabled | bool
  tags:
    - setup-all
    - install-all
@@ -19,7 +19,7 @@
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/debian_docker_signedby_migration.yml"
- when: ansible_os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_docker_trusted_gpg_d_migration_enabled | bool
+- when: ansible_facts.os_family == 'Debian' and matrix_playbook_docker_installation_enabled | bool and matrix_playbook_migration_docker_trusted_gpg_d_migration_enabled | bool
  tags:
    - setup-all
    - install-all
--- a/setup.yml
+++ b/setup.yml
@@ -84,6 +84,7 @@
    - custom/matrix-bridge-mx-puppet-instagram
    - custom/matrix-bridge-postmoogle
    - custom/matrix-bridge-sms
    - custom/matrix-bridge-steam
    - custom/matrix-bridge-heisenbridge
    - custom/matrix-bridge-hookshot
    - custom/matrix-bot-matrix-reminder-bot
		`@@ -0,0 +1,3 @@`
							`SPDX-FileCopyrightText: 2025 MDAD project contributors`

							`SPDX-License-Identifier: AGPL-3.0-or-later`