Add matrix-rustpush-bridge (iMessage)

Add the matrix-rustpush-bridge role, a Matrix <-> iMessage bridge built
on the mautrix-go bridgev2 framework using RustPush (OpenBubbles backend).

Unlike the existing mautrix-imessage/wsproxy bridge, it talks directly to
Apple's push notification service, so it needs neither a running Mac nor a
wsproxy on the homeserver. Each user supplies a hardware key extracted from a
Mac through the bridge bot's login flow.

The bridge uses its own bot username and puppet namespace (rustpushbot,
rustpush_*) so it does not collide with the wsproxy iMessage bridge.

This bridge is in early development and may have stability issues.

group_vars/matrix_servers

@@ -114,6 +114,8 @@ matrix_homeserver_container_extra_arguments_auto: |
     +
     (['--mount type=bind,src=' + matrix_mautrix_bluesky_config_path + '/registration.yaml,dst=/matrix-mautrix-bluesky-registration.yaml,ro'] if matrix_mautrix_bluesky_enabled else [])
     +
+    (['--mount type=bind,src=' + matrix_rustpush_bridge_config_path + '/registration.yaml,dst=/matrix-rustpush-bridge-registration.yaml,ro'] if matrix_rustpush_bridge_enabled else [])
+    +
     (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else [])
     +
     (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else [])
@@ -171,6 +173,8 @@ matrix_homeserver_app_service_config_files_auto: |
     +
     (['/matrix-mautrix-bluesky-registration.yaml'] if matrix_mautrix_bluesky_enabled else [])
     +
+    (['/matrix-rustpush-bridge-registration.yaml'] if matrix_rustpush_bridge_enabled else [])
+    +
     (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else [])
     +
     (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else [])
@@ -436,6 +440,13 @@ devture_systemd_service_manager_services_list_auto: |
       'groups': ['matrix', 'bridges', 'mautrix-bluesky'],
     }] if matrix_mautrix_bluesky_enabled else [])
     +
+    ([{
+      'name': 'matrix-rustpush-bridge.service',
+      'priority': 2000,
+      'restart_necessary': (matrix_rustpush_bridge_restart_necessary | bool),
+      'groups': ['matrix', 'bridges', 'matrix-rustpush-bridge'],
+    }] if matrix_rustpush_bridge_enabled else [])
+    +
     ([{
       'name': 'matrix-mautrix-discord.service',
       'priority': 2000,
@@ -1469,6 +1480,77 @@ matrix_mautrix_bluesky_database_password: "{{ (matrix_homeserver_generic_secret_
 #
 ######################################################################
 
+
+######################################################################
+#
+# matrix-bridge-rustpush
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_rustpush_bridge_enabled: false
+
+matrix_rustpush_bridge_systemd_required_services_list_auto: |
+  {{
+    matrix_addons_homeserver_systemd_services_list
+    +
+    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+  }}
+
+matrix_rustpush_bridge_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_rustpush_bridge_container_additional_networks_auto: |-
+  {{
+    (
+      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+      +
+      ([postgres_container_network] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname and matrix_rustpush_bridge_container_network != postgres_container_network) else [])
+      +
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_rustpush_bridge_container_labels_traefik_enabled else [])
+    ) | unique
+  }}
+
+matrix_rustpush_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_rustpush_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_rustpush_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_rustpush_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
+matrix_rustpush_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.as.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
+matrix_rustpush_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.hs.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
+matrix_rustpush_bridge_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.prov') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_double_puppet_secrets_auto: |-
+  {{
+    ({
+      matrix_rustpush_bridge_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
+
+matrix_rustpush_bridge_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
+
+matrix_rustpush_bridge_metrics_proxying_enabled: "{{ matrix_rustpush_bridge_metrics_enabled and matrix_metrics_exposure_enabled }}"
+matrix_rustpush_bridge_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+matrix_rustpush_bridge_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/rustpush-bridge"
+
+matrix_rustpush_bridge_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_rustpush_bridge_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
+
+######################################################################
+#
+# /matrix-bridge-rustpush
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mautrix-discord
@@ -4052,6 +4134,12 @@ postgres_managed_databases_auto: |
       'password': matrix_mautrix_bluesky_database_password,
     }] if (matrix_mautrix_bluesky_enabled and matrix_mautrix_bluesky_database_engine == 'postgres' and matrix_mautrix_bluesky_database_hostname == postgres_connection_hostname) else [])
     +
+    ([{
+      'name': matrix_rustpush_bridge_database_name,
+      'username': matrix_rustpush_bridge_database_username,
+      'password': matrix_rustpush_bridge_database_password,
+    }] if (matrix_rustpush_bridge_enabled and matrix_rustpush_bridge_database_engine == 'postgres' and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+    +
     ([{
       'name': matrix_mautrix_googlechat_database_name,
       'username': matrix_mautrix_googlechat_database_username,
@@ -4992,6 +5080,11 @@ matrix_ketesa_config_asManagedUsers_auto: |
       '^@bluesky_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
     ] if matrix_mautrix_bluesky_enabled else [])
     +
+    ([
+      '^@'+(matrix_rustpush_bridge_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
+      '^@rustpush_[a-zA-Z0-9_.+-]+:'+(matrix_domain | regex_escape)+'$',
+    ] if matrix_rustpush_bridge_enabled else [])
+    +
     ([
       '^@'+(matrix_mautrix_discord_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
       '^@discord_[0-9]+:'+(matrix_domain | regex_escape)+'$',