Commit Graph
100 Commits
Author SHA1 Message Date
Slavi PantaleevandClaude Fable 5 0b5b472425 Catch and report bridge variables that use pre-rename prefixes
A single prefix-level catch in matrix_playbook_migration covers all
renamed bridge variable prefixes at once. It always runs (unlike the
per-role validate_config tasks, which only run when a role is enabled),
so a stale old-style _enabled variable cannot silently disable a bridge.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 24f5d66d4d Update generic bridge variable references for the new naming scheme
Renames the matrix_mautrix_SERVICENAME_* placeholders in the common
mautrix bridges guide to matrix_bridge_mautrix_SERVICENAME_*, and fixes
prose in the matrix-bridge-steam role that referred to the old variable
prefix and to a misspelled (underscore-styled) systemd service name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 e3faabf125 Rename matrix_wechat_* variables to matrix_bridge_wechat_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 129f5fda20 Rename matrix_steam_bridge_* variables to matrix_bridge_steam_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 a77b8f6eab Rename matrix_sms_bridge_* variables to matrix_bridge_sms_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 267d578393 Rename matrix_rustpush_bridge_* variables to matrix_bridge_rustpush_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 b68674d5da Rename matrix_postmoogle_* variables to matrix_bridge_postmoogle_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 ceb178008f Rename matrix_mx_puppet_steam_* variables to matrix_bridge_mx_puppet_steam_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 7380cbdc3c Rename matrix_mx_puppet_groupme_* variables to matrix_bridge_mx_puppet_groupme_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 97077e2f13 Rename matrix_meshtastic_relay_* variables to matrix_bridge_meshtastic_relay_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 4d6b68a5da Rename matrix_mautrix_whatsapp_* variables to matrix_bridge_mautrix_whatsapp_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 54020894b4 Rename matrix_mautrix_twitter_* variables to matrix_bridge_mautrix_twitter_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 e751673b0d Rename matrix_mautrix_telegram_* variables to matrix_bridge_mautrix_telegram_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 ace4edb01b Rename matrix_mautrix_slack_* variables to matrix_bridge_mautrix_slack_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 bb225546bd Rename matrix_mautrix_signal_* variables to matrix_bridge_mautrix_signal_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 ca301ffde0 Rename matrix_mautrix_meta_messenger_* variables to matrix_bridge_mautrix_meta_messenger_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 ba0fd18361 Rename matrix_mautrix_meta_instagram_* variables to matrix_bridge_mautrix_meta_instagram_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 5d19e75236 Rename matrix_mautrix_gvoice_* variables to matrix_bridge_mautrix_gvoice_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi PantaleevandClaude Fable 5 b2fb403d31 Rename matrix_mautrix_googlechat_* variables to matrix_bridge_mautrix_googlechat_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 5ff45d47c3 Rename matrix_mautrix_gmessages_* variables to matrix_bridge_mautrix_gmessages_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 2241a2dedb Rename matrix_mautrix_discord_* variables to matrix_bridge_mautrix_discord_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 6768ada899 Rename matrix_mautrix_bluesky_* variables to matrix_bridge_mautrix_bluesky_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 7ccc9c515e Rename matrix_hookshot_* variables to matrix_bridge_hookshot_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 6e4992a2fe Rename matrix_heisenbridge_* variables to matrix_bridge_heisenbridge_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 62b5375815 Rename matrix_beeper_linkedin_* variables to matrix_bridge_beeper_linkedin_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 98269653b2 Rename matrix_appservice_irc_* variables to matrix_bridge_appservice_irc_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 dc16f09e78 Rename matrix_appservice_discord_* variables to matrix_bridge_appservice_discord_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 d9bee18ddd Rename matrix_mautrix_wsproxy_* variables to matrix_bridge_mautrix_wsproxy_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

The companion appservice variables defined by this role are folded
under the role prefix as well: matrix_mautrix_androidsms_* becomes
matrix_bridge_mautrix_wsproxy_androidsms_* and matrix_mautrix_imessage_*
becomes matrix_bridge_mautrix_wsproxy_imessage_*.

matrix_mautrix_signal_wsproxy_syncproxy_connection_string becomes
matrix_bridge_mautrix_wsproxy_syncproxy_connection_string, aligning it
with the sibling matrix_bridge_mautrix_wsproxy_syncproxy_* variables.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi PantaleevandClaude Fable 5 84a0053191 Upgrade ansible-role-backup_borg (v1.4.4-2.1.6-1 -> v1.4.4-2.1.6-2) and wire via _auto variables
The new role version splits backup_borg_location_exclude_patterns into
auto/custom components, following the existing split for
backup_borg_location_source_directories. The playbook now wires its
computed values into the _auto variables for both, so users can append
their own entries via the _custom variables instead of redefining the
whole lists and accidentally dropping playbook-provided values.
Previously, redefining backup_borg_location_exclude_patterns dropped
the postgres_data_path exclusion (making borg walk live Postgres data
and fail with warning exit codes), and the playbook's own
source_directories wiring made the role's _custom variable a no-op.

Related to #5092

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 14:36:06 +03:00
Slavi PantaleevandClaude Fable 5 73a52c8a24 Make postgres_max_connections scale with the Synapse worker count
With workers enabled, every Synapse process (the main one and each
worker) maintains its own database connection pool of up to
matrix_synapse_database_cp_max (default: 10) connections. The previous
fixed limit of 500 left little headroom on setups running many workers,
where exhausting it manifests as degraded performance and, reportedly,
E2EE misbehavior.

Size the limit as a 200-connection baseline (for everything else that
talks to Postgres) plus cp_max connections per Synapse process, never
going below the previous value of 500. The stock worker presets stay at
500; setups that raise worker counts (or cp_max) get a limit that grows
accordingly. The new matrix_synapse_workers_total_count variable
reflects what the matrix_synapse_workers_*_count variables ask for; it
does not reflect a manually populated
matrix_synapse_workers_enabled_list, and such setups should override
postgres_max_connections themselves.

Fixes #4442

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 14:20:12 +03:00
Slavi PantaleevandClaude Fable 5 a1cdd367f5 Upgrade ansible-role-livekit-server (v1.13.3-1 -> v1.13.3-2)
The new version supports defining a multiplexed UDP port pool (e.g.
'7882-7892') in livekit_server_config_rtc_udp_port. Previously, the
role's configuration template silently mangled such values into
udp_port: 0. It also gains early validation of the port value.

Related to #5344

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 07:42:48 +03:00
Slavi PantaleevandClaude Fable 5 23783f87bc Clarify when disabling the federation port applies in the CDN guide
The CDN section of the federation documentation tells users to set
matrix_synapse_federation_port_enabled: false, which only works because
that recipe moves federation traffic to the client port. Followed
partially (keeping federation on the dedicated federation port behind a
fronting reverse proxy), the same line removes the federation route
entirely and breaks federation. Say so explicitly.

Fixes #4475

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 13:31:41 +03:00
Slavi PantaleevandClaude Fable 5 eb0af09bf5 Remove the appservice-kakaotalk bridge
The bridge could only be installed by self-building its source code,
and its upstream repository (on src.miscworks.net) has become
unreachable (the Internet Archive last saw it alive in May 2026),
making installation impossible. The bridge was also based on the
long-unmaintained node-kakao library and carried a warning that using
it may get KakaoTalk accounts banned.

The playbook catches leftover matrix_appservice_kakaotalk_* variables
and points users to the manual uninstallation instructions.

Related to #5068

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 13:31:41 +03:00
Slavi PantaleevandClaude Fable 5 376786b997 Upgrade ansible-role-livekit-server (v1.13.3-0 -> v1.13.3-1)
The new version adds livekit_server_config_rtc_ips_includes and
livekit_server_config_rtc_ips_excludes variables, controlling LiveKit's
rtc.ips.includes/excludes CIDR filters for RTC IP addresses.

Related to #4958

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 07:31:52 +03:00
Slavi PantaleevandClaude Fable 5 de1ba73f40 Add dedicated CAPTCHA variables to matrix-authentication-service
Matrix Authentication Service supports CAPTCHA protection (ReCaptcha
v2, Cloudflare Turnstile, hCaptcha) for certain operations like
self-service password registration, but configuring it required going
through matrix_authentication_service_configuration_extension_yaml.
Expose it via dedicated variables
(matrix_authentication_service_config_captcha_service, _site_key and
_secret_key), validate the service value and key presence, and document
the setup in the captcha documentation page, which so far only covered
Synapse and Dendrite.

Related to #5344

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 07:29:35 +03:00
Slavi PantaleevandClaude Fable 5 d2f1fa74cc Document homeserver requirements for hookshot's end-to-bridge encryption
Enabling matrix_hookshot_encryption_enabled configures the bridge side
correctly (registration flags, Valkey cache), but hookshot's encryption
also needs the homeserver to support and enable MSC2409 and MSC3202,
which are typically experimental features disabled by default. Nothing
documented that, so the resulting setup silently did not work.

Reference the MSCs in the variable's comment, and show the exact Synapse
settings in the hookshot documentation page. The playbook deliberately
does not auto-enable them: they are experimental homeserver-wide
features, and flipping them from a bridge toggle would be surprising.

Fixes #3861

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 06:01:27 +03:00
Slavi PantaleevandClaude Fable 5 62792b3670 Fix double-slash in Jitsi's Etherpad integration URLs
etherpad_base_url always ends with a trailing slash, and the playbook
passed it verbatim to jitsi_etherpad_base, which the Jitsi role appends
path segments to (e.g. /p/). The generated Jitsi configuration therefore
contained URLs like https://etherpad.example.com//p/, which can 404
depending on the web server. Strip trailing slashes when wiring.

Fixes #3471

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 15:16:31 +03:00
Slavi PantaleevandClaude Fable 5 a039cc5982 Upgrade ansible-role-grafana (v13.0.2-0 -> v13.0.2-1) and use grafana_dashboard_download_urls_auto
The new role release splits grafana_dashboard_download_urls into
default/auto/custom components. Wire the playbook's automatic dashboard
list via the auto component, so users can add their own dashboards
through grafana_dashboard_download_urls_custom without clobbering it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:59:18 +03:00
Slavi PantaleevandClaude Fable 5 5a9e34c563 Document that Synapse cache autotuning limits apply per process
The autotuning defaults are derived from total system RAM, but every
Synapse process (the main one and each worker) applies the configured
limits independently, so worker setups multiply the theoretical
aggregate cache memory usage.

Fixes #3336

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:56:48 +03:00
Slavi PantaleevandClaude Fable 5 534631c1e7 Document Synapse database restore pitfalls per the official backup guide
Add the two remaining hints from the official Synapse backup guide:

- never import a dump into a database that already has tables present
  (at best it errors, at worst it causes subtle inconsistencies)
- when restoring a backup older than the server's current state,
  truncate e2e_one_time_keys_json before starting Synapse, so used
  one-time keys are not re-issued (which causes decryption errors);
  our pg_dumpall-based backup commands include that table

Fixes #4004

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:34:45 +03:00
Slavi PantaleevandClaude Fable 5 c7819f576a Remove the custom Element Web welcome page
Element Web redesigned its welcome page into a built-in component
(element-hq/element-web#33211, first released in spring 2026) and no
longer falls back to loading welcome.html. The custom page the playbook
installed had therefore silently stopped having any effect, and it was a
fork of an upstream file that upstream has deleted (its button icon
assets are already missing from current Element Web builds).

Remove the welcome.html shipping and the variables that only applied to
it (matrix_client_element_welcome_headline, _welcome_text,
_welcome_logo_link, _page_template_welcome_path), rejecting them in
validate_config.yml with pointers to the alternatives. Logo and
background customization keep working through Element Web's branding
options, which the new welcome page still honors. A fully custom page
can be self-hosted and wired via embedded_pages.welcome_url.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 07:49:39 +03:00
Slavi PantaleevandClaude Fable 5 a03faef70f Stop excluding Synapse's local_thumbnails from BorgBackup
Synapse only generates thumbnails of local media at upload time (unless
dynamic_thumbnails is enabled, which the playbook does not do) and no
tooling exists to regenerate them, so restoring a backup left all
previously uploaded local images without thumbnails permanently. The
official Synapse backup guide recommends backing this directory up.

Related to #4004.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 21:18:43 +03:00
Slavi PantaleevandClaude Fable 5 94d8e28306 Support readonly datastores for matrix-media-repo
The configuration template only rendered a datastore when its for_kinds
list was non-empty, even though the inline documentation (matching
upstream's) describes forKinds: [] as the way to make a datastore
readonly. That made the documented migration scenario impossible: moving
media between the file and s3 datastores while keeping the old one
readable.

Introduce matrix_media_repo_datastore_file_enabled and
matrix_media_repo_datastore_s3_enabled, which default to the previous
kinds-based behavior. A readonly datastore is now expressed by enabling
the datastore explicitly while assigning it no kinds.

Fixes #4303

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 21:17:09 +03:00
Slavi PantaleevandClaude Fable 5 6b4b7647e4 Fix synapse-usage-exporter self-build failing on git ownership checks
synapse-usage-exporter is self-built by default (no upstream image is
published), so every user enabling it runs the git clone/update task. A
docker-src checkout whose files are owned by a different user (e.g. left
behind by an earlier clone) made that task fail: either with a
permission error, or with git's dubious-ownership protection, which
ignores the repository's own configuration and surfaces as a confusing
"'origin' does not appear to be a git repository" error.

Ensure the checkout's ownership recursively before updating it, and mark
the path as a safe.directory for the git invocation itself (via
GIT_CONFIG_* environment variables), so the ownership check cannot
misfire regardless of which user git effectively runs as.

Fixes #5065

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 19:25:34 +03:00
Slavi PantaleevandClaude Fable 5 90d486c4f6 Correct CORS guidance for 302-redirect based well-known setup
The docs claimed that reverse-proxying "or simply a 302 redirect" needs
no CORS headers. That is only true for reverse-proxying: browsers apply
CORS checks to every response in a redirect chain, so a redirect
response itself must also carry Access-Control-Allow-Origin, otherwise
web clients fail even though the final destination sets the header.

Fixes #4650

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:35:07 +03:00
Slavi PantaleevandClaude Fable 5 2d436491c6 Escape mautrix-meta username prefix in registration regexes
The user-namespace regexes in the mautrix-meta-messenger and
mautrix-meta-instagram registration templates interpolated
the bridge username prefix without regex-escaping it, unlike the
neighboring homeserver domain and appservice username values. The
default prefixes are regex-safe, but a customized prefix containing
regex metacharacters would produce a wrong (too broad or invalid)
appservice user namespace.

Related to the registration regex discussion in #5096.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:34:31 +03:00
Slavi PantaleevandClaude Fable 5 8b9fe4ce37 Make Element welcome page text readable on the dark theme
The playbook-shipped welcome.html hardcoded #2e2f32 for the headline and
welcome text, which is nearly invisible on the dark background Element
renders when the dark theme is active. Element Web's default
use_system_theme behavior keys the theme off the system color scheme, so
switch the text to Element's dark-theme text color (#ebeef2) under a
prefers-color-scheme: dark media query.

Fixes #4838

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:33:55 +03:00
Slavi PantaleevandClaude Fable 5 639996d3a0 Upgrade ansible-role-backup_borg (v1.4.4-2.1.4-1 -> v1.4.4-2.1.6-1)
Pulls in borgmatic 2.1.6, fixing the 2.1.4 JSON parsing regression
(borgmatic-collective/borgmatic#1294) where warnings on stderr, such as
OpenSSH post-quantum key exchange notices, broke parsing of borg's JSON
output and failed the backup run.

Fixes #5188

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:33:03 +03:00
Slavi PantaleevandClaude Fable 5 f8539f4cbf Fix Traefik router name in SRV server delegation docs
The wildcard certificate examples attached tls.domains labels to a
router named matrix-synapse-federation-api, but the Synapse role
actually names it matrix-synapse-public-federation-api (see
templates/synapse/labels.j2), so the documented labels matched nothing
and the certificate configuration silently did not apply.

Fixes #3129

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:30:58 +03:00
Slavi PantaleevandClaude Fable 5 a4915c0b9e Remove never-implemented appservice-discord self-build variable
matrix_appservice_discord_container_image_self_build only switched the
image registry prefix to localhost/, but the role never had any build
tasks, so enabling it always ended in an image pull failure. Remove the
variable and reject it in validate_config.yml with a hint that the
prebuilt image is amd64-only and that mautrix-discord is the better
option on other architectures.

Fixes #2379

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:03:51 +03:00
Slavi PantaleevandClaude Fable 5 deb19c46a8 Document rsync as a server-side prerequisite for media store import
The import-synapse-media-store task synchronizes the media store with
ansible.posix.synchronize delegated to the server itself, which requires
the rsync binary on the server. Nothing in the playbook installs it, so
the import failed on minimal systems with "Failed to find required
executable rsync". Document the prerequisite.

Fixes #2551

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:03:05 +03:00
Slavi PantaleevandClaude Fable 5 2fe710bdb4 Document Caddy directive-order pitfall for well-known reverse-proxying
Caddy evaluates directives according to its own fixed directive order,
not their order in the Caddyfile. redir runs before reverse_proxy, so a
redirect elsewhere in the same site block silently shadows the
/.well-known/matrix reverse-proxying. Add a note and a handle-block
example that enforces the intended priority.

Fixes #1080

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:02:20 +03:00
Slavi PantaleevandClaude Fable 5 ee38b3aac2 Grant pg_monitor to the prometheus-postgres-exporter database user
The exporter's wal collector (enabled by default) calls pg_ls_waldir(),
which Postgres restricts to superusers and members of the pg_monitor
role. The exporter user is created as a plain managed-database user, so
scraping logged "permission denied for function pg_ls_waldir" on every
run.

Grant pg_monitor via the managed database's additional_sql_queries,
which the Postgres role applies both on initial creation and on
subsequent runs, covering existing installations too.

Fixes #3039

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 13:21:19 +03:00
Slavi PantaleevandClaude Opus 4.8 506d4ab4c9 Upgrade ansible-role-postgres (v18.4-0 -> v18.4-1)
Pulls in the pgloader connection string handling fix, which keeps the
Postgres password out of the command line and Ansible error output.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi PantaleevandClaude Opus 4.8 44cfd16036 Add index label to Synapse worker Prometheus targets
The upstream Synapse Grafana dashboard uses `{{job}}-{{index}}` in its
legends to tell workers apart, but the worker scrape configs only set
instance, worker_id, job and app labels. Without an index label, the
dashboard legends collapsed and workers could not be distinguished.

Derive the index label from the worker id (its per-type index is the
first number in the id, e.g. federation-sender-1, stream-writer-2-events),
matching the index label already set on the main process target.

Fixes #2158
Fixes #2159

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi PantaleevandClaude Opus 4.8 b32272ef40 Add CORS header to Element's map_style.json for Element Desktop
Element Desktop (Electron) loads the location-sharing map style from a
`vector://vector` origin, so fetching map_style.json from the Element
domain is a cross-origin request. Without an Access-Control-Allow-Origin
header, the request is blocked and maps fail to load with "This homeserver
is not configured correctly to display maps".

Add a dedicated Traefik router for map_style.json that attaches an
Access-Control-Allow-Origin header (configurable via
matrix_client_element_location_sharing_map_style_access_control_allow_origin,
defaulting to `*`). It is only defined when location sharing is enabled.

Fixes #2291

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi PantaleevandClaude Fable 5 fa8c764708 Fix up devcontainer config (REUSE, strict JSON, image bump) and mention it in docs
- add SPDX licensing information for REUSE compliance
- drop the JSONC comment from devcontainer.json, keeping it strict JSON
  (as required by the check-json pre-commit hook)
- bump the base image to the current ghcr.io/devture/ansible release
- mention the dev container in docs/ansible.md

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 18:36:27 +03:00
Slavi Pantaleev fba605de34 Merge pull request #4365 from jonaharagon/devcontainer
Add devcontainer config
2026-07-12 18:34:16 +03:00
Slavi PantaleevandClaude Fable 5 0b966a4500 Update agru version label to match the locked v0.2.1 revision
flake.lock already pins agru at the v0.2.1 commit (via #5415);
this label only names the built derivation.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 18:24:05 +03:00
Slavi PantaleevandClaude Fable 5 aa97075f11 Enable Renovate nix support with flake.lock maintenance
This lets Renovate periodically refresh flake.lock, keeping the
nixpkgs and agru inputs of the development shell up to date.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 17:04:48 +03:00
Slavi Pantaleev 8368b21e6d Merge pull request #4979 from jack-wines/main
Add agru to flake.nix
2026-07-12 17:03:06 +03:00
Slavi PantaleevandClaude Fable 5 e6a8de7cec Document pulling the sudo password from pass via the passwordstore lookup
Based on https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4219 by @mcnesium

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:52:18 +03:00
Slavi PantaleevandClaude Fable 5 7d2a2c40c9 Add matrix_matrixto_container_labels_watchtower_skip_enabled
Attaches a com.centurylinklabs.watchtower.enable=false label to the
matrix-matrixto container by default, telling Watchtower (if in use)
to skip it. The image is built locally from source, so Watchtower
cannot update it and merely produces 'digest retrieval failed' errors
on every run.

A dedicated variable is used (instead of pre-filling
matrix_matrixto_container_labels_additional_labels) so that people
overriding the additional-labels variable do not lose the label.

Fixes #4820

Based on the report and initial patch in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4821 by @der-domi

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:37:12 +03:00
Slavi PantaleevandClaude Fable 5 7ae2f46bf7 Add Commet to the client list in configuring-playbook.md
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:35:08 +03:00
Slavi Pantaleev 7833006b07 Merge pull request #5005 from TheDataLeek/tdl/commet-docs
Add Commet client documentation
2026-07-12 16:33:27 +03:00
Slavi PantaleevandClaude Fable 5 eb6328e5e9 Fix role references in jitsi_jvb.yml
The galaxy roles were renamed to shorter install paths back in
c0595d6e4 (2023-11-19), but jitsi_jvb.yml was not updated, so running
it failed with 'role not found' ever since.

Reported in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5269 by @mcepl

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:23:05 +03:00
Slavi PantaleevandClaude Fable 5 80c2624454 Add add-inventory-host command for bootstrapping the inventory
Running `just add-inventory-host example.com 1.2.3.4` (or
`make add-inventory-host domain=example.com ip=1.2.3.4`) adds a new
host to the inventory, creating inventory/hosts and
inventory/host_vars/matrix.DOMAIN/vars.yml from the example files,
with strong secrets generated automatically.

Existing configuration is never overwritten. The command refuses to
run if the host is already in the inventory, so it can also be used
for adding more hosts later.

Based on the idea proposed in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4682 by @Ser5

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:08:09 +03:00
Slavi PantaleevandClaude Fable 5 fc473797cd Disable broken container healthcheck for matrix-sygnal
The sygnal container images (since v0.16.0) hardcode a HEALTHCHECK which
relies on curl, but the image does not include curl, so the healthcheck
can never pass. See https://github.com/element-hq/sygnal/issues/326

This unblocks upgrading sygnal past v0.15.1.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 15:17:48 +03:00
Slavi Pantaleev b57ac50c81 Merge pull request #5288 from luixxiul/remove-matrix-bot-matrix-registration-bot
Remove matrix-registration-bot
2026-07-12 14:49:12 +03:00
Slavi PantaleevandClaude Fable 5 19a775ef7e Upgrade Continuwuity (v0.5.10 -> v26.6.1) and re-sync its config template
This is a major upgrade which performs a one-way database migration
and removes LDAP support upstream.

The continuwuity.toml.j2 template is re-synced with the v26.6.1 example
config. Notably, registration_token is now only rendered when non-empty,
because v26+ refuses to start when it is set to an empty string.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 14:43:17 +03:00
Slavi PantaleevandClaude Opus 4.8 aa1b130a23 Announce Synology DSM support in the changelog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 20:10:45 +03:00
Slavi PantaleevandClaude Opus 4.8 4f9346e182 i18n: pin docutils back to 0.22.4 (myst-parser 5.1.0 requires <0.23)
The docutils 0.23 bump conflicts with myst-parser==5.1.0, which requires
docutils>=0.20,<0.23, making the i18n venv unresolvable and breaking the
translation template extraction job.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 19:29:08 +03:00
Slavi PantaleevandClaude Opus 4.8 1789ea2083 mautrix-telegram: stop flagging matrix_mautrix_telegram_scheme as a removed variable
The bridgev2 (Go) rewrite removed matrix_mautrix_telegram_scheme (the old
Python bridge's public web-login endpoint scheme) and added a deprecation
check for it. We later reintroduced a variable of the same name to configure
the bridge's HTTP API exposure address, but the deprecation entry remained.

Because the check matches any defined variable (via ansible.builtin.varnames),
not just user-set ones, it tripped for every install with the Telegram bridge
enabled, even when the user never set it.

Drop the deprecation entry, since the variable is a current one again. The
related (still removed) matrix_mautrix_telegram_hostname and
matrix_mautrix_telegram_path_prefix entries are kept.

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5368
Regression since d2252db4fe

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 19:06:29 +03:00
Slavi PantaleevandClaude Opus 4.8 00f39e3b1d Document mautrix bridge HTTP API exposure (for mautrix-manager and similar)
Add a "Expose the bridge's API" section to the common mautrix bridges
documentation page (covering the /bridges/<bridge> path, the
/.well-known/matrix/mautrix auto-discovery file, how to disable it, and
the custom-bridges hook), plus a CHANGELOG entry announcing the feature.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 19:05:16 +03:00
Slavi PantaleevandClaude Opus 4.8 4aca22dd96 matrix-static-files: advertise exposed mautrix bridges via /.well-known/matrix/mautrix
Emit a /.well-known/matrix/mautrix file listing the base URLs of all
enabled and exposed mautrix bridges under the `fi.mau.bridges` property,
so tools like Mautrix Manager (https://github.com/mautrix/manager) can
auto-discover them.

The list is built in group_vars from each bridge's public address and is
gated on the bridge being enabled, the playbook attaching its Traefik
labels, and the exposure router being emitted, so we only advertise URLs
that are actually reachable. The file follows the same auto/custom and
configuration-extension pattern as the other well-known files and is only
written when the list is non-empty.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 17:05:55 +03:00
Slavi PantaleevandClaude Opus 4.8 2879a01105 mautrix-slack: expose bridge HTTP API (for mautrix-manager and similar)
Unlike the other mautrix bridges, the mautrix-slack role had no Traefik
label infrastructure at all, so this builds the scaffold first (a new
labels.j2, the container_labels_traefik_* vars, the label-file wiring in
the systemd service and setup_install.yml, and the group_vars wiring),
then exposes the bridge's appservice HTTP API under
https://matrix.<domain>/bridges/slack like the other bridges.

The provisioning shared secret was already auto-generated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 09:08:57 +03:00
Slavi PantaleevandClaude Opus 4.8 42c173c0b3 mautrix-meta-messenger: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-messenger`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:17:47 +03:00
Slavi PantaleevandClaude Opus 4.8 20a2395403 mautrix-meta-instagram: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-instagram`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:15:57 +03:00
Slavi PantaleevandClaude Opus 4.8 1b9b1119a1 mautrix-whatsapp: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole mautrix-whatsapp HTTP port via Traefik under
`<matrix-fqn>/bridges/whatsapp`, and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:11:30 +03:00
Slavi PantaleevandClaude Opus 4.8 2d7058fa59 mautrix-bluesky: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-bluesky HTTP port via Traefik under
`<matrix-fqn>/bridges/bluesky` and populate the existing
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The provisioning shared secret is already auto-generated in
group_vars, so the provisioning API is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:09:43 +03:00
Slavi PantaleevandClaude Opus 4.8 44c8736c08 mautrix-twitter: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-twitter HTTP port via Traefik under
`<matrix-fqn>/bridges/twitter` and populate the existing
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The provisioning shared secret is already auto-generated in
group_vars, so the provisioning API is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:08:11 +03:00
Slavi PantaleevandClaude Opus 4.8 a50e7960d8 mautrix-signal: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-signal HTTP port via Traefik under
`<matrix-fqn>/bridges/signal` and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism. The provisioning shared
secret is already auto-generated in group_vars, so the provisioning API
is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:05:18 +03:00
Slavi PantaleevandClaude Opus 4.8 d2252db4fe mautrix-telegram: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-telegram HTTP port via Traefik under
`<matrix-fqn>/bridges/telegram` and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism. The provisioning shared
secret is already auto-generated in group_vars, so the provisioning API
is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 19:56:24 +03:00
Slavi PantaleevandClaude Opus 4.8 a4ddba3989 mautrix-gmessages: expose bridge HTTP API (for mautrix-manager and similar)
Add a generic mechanism for exposing bridges' HTTP API (the provisioning
API, etc.) publicly on the Matrix domain, so tools like mautrix-manager
(https://github.com/mautrix/manager) can drive bridge login.

- Introduce global matrix_bridges_exposure_* vars (on by default),
  exposing each supported bridge under `<matrix-fqn>/bridges/<bridge>`.
- mautrix-gmessages: make the provisioning shared secret configurable
  (auto-generated in group_vars) so the provisioning API is enabled,
  route the whole bridge HTTP port via Traefik, and populate
  appservice.public_address.

Requests are authenticated by the bridge itself (per-user Matrix access
token for the provisioning API, homeserver token for the appservice
endpoints), not by the reverse proxy.

This is the first bridge converted; the other mautrix bridges will follow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 19:52:24 +03:00
Slavi PantaleevandClaude Opus 4.8 e43add179b Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default)
As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway
delivery as well, so surface it as an Ansible variable using the
default/auto/custom merge pattern. The default mirrors tuwunel's own
upstream denylist (RFC1918, loopback, multicast, and other unroutable
ranges), matching the identical list already used for Synapse's
matrix_synapse_url_preview_ip_range_blacklist.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 20:39:16 +03:00
Slavi PantaleevandClaude Opus 4.8 08c733d2e3 matrix-bridge-rustpush: build from upstream's own Dockerfile on self-build
The role shipped its own copy of the bridge's Dockerfile and templated it
over the cloned source before building. That copy had already drifted from
upstream (e.g. missing libheif-plugin-libde265) and required separate
maintenance (Renovate bumping the base image here instead of upstream).

Build from the cloned repo's own Dockerfile instead, matching every other
self-build role (e.g. matrix-bridge-steam). The Dockerfile now tracks the
pinned bridge version automatically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 12:13:04 +03:00
Slavi PantaleevandClaude Opus 4.8 424c323d03 Announce matrix-rustpush-bridge (iMessage) in the changelog
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 11:45:20 +03:00
Slavi PantaleevandClaude Opus 4.8 4f00ad9bd4 Add support for additional volumes for the livekit-jwt-service component
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 07:38:22 +03:00
Slavi PantaleevandClaude Opus 4.8 731804ba32 Update LiveKit Server (v1.12.0-0 → v1.13.1-0)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 08:50:34 +03:00
Slavi PantaleevandClaude Fable 5 ec6e006b42 Update Prometheus (v3.12.0-0 → v3.12.0-1)
Adds validation that catches old-style prometheus_process_extra_arguments
overrides which lose the --config.file default.

See https://github.com/mother-of-all-self-hosting/ansible-role-prometheus/issues/35

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 08:47:26 +03:00
Slavi PantaleevandClaude Fable 5 67663be7a9 Restrict Renovate to the v0 tag scheme for mautrix images
Prevents Renovate from proposing "major" updates to the registry-only
calver tags (vYY.MM[.PATCH]), which break further updates and
self-building. See the previous commit for details.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 23:59:09 +03:00
Slavi PantaleevandClaude Fable 5 45c3b751d9 Switch mautrix-signal back to the v0 versioning scheme (v0.2605.0)
mautrix publishes each release under two tag schemes: v0.YYMM.PATCH
(also used for git tags, due to Go's module path requirements for
major versions >= 2) and a calver vYY.MM[.PATCH] scheme that exists
only on the Docker registry.

We switched mautrix-signal to the calver scheme in 3564155a7, which
left it silently stuck at v26.02.2: the calver tags have an
inconsistent number of components (v26.02.2 vs v26.05), and Renovate's
docker versioning only offers updates between tags with the same
number of dot-separated parts. It also broke self-building, which uses
the version as a git ref, and calver tags do not exist in git.

Going back to the v0 scheme (used by all other mautrix bridges) fixes
both problems and upgrades signal from the February release to the
current May one.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 23:58:30 +03:00
Slavi PantaleevandClaude Fable 5 ce8beb5e9d Fix matrix-appservice-kakaotalk referencing appservice-discord network variables
The additional-networks connect loop in the kakaotalk systemd unit
template iterated over matrix_appservice_discord_container_additional_networks,
a copy-paste leftover from the discord bridge role. The host-network
guard added in #5310 mirrored the same wrong variable.

This means the kakaotalk container was being connected to the networks
computed for the discord bridge instead of its own, potentially leaving
it without access to its homeserver/database networks depending on the
discord bridge's configuration.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 23:50:11 +03:00
Slavi PantaleevandClaude Opus 4.8 a7be5a2088 Fix self-build git ref for LiveKit JWT Service
matrix_livekit_jwt_service_container_repo_version interpolated
livekit_server_version (the LiveKit Server role's version) instead of
this role's own matrix_livekit_jwt_service_version, so self-builds
checked out the wrong git tag.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:17:07 +03:00
Slavi PantaleevandClaude Opus 4.8 738bff7a00 Upgrade LiveKit JWT Service (lk-jwt-service) to v0.5.0
v0.5.0 makes LIVEKIT_FULL_ACCESS_HOMESERVERS a required setting and
drops the implicit `*` wildcard default upstream.

Split the full-access-homeservers list into _default/_auto/_custom
parts (following the convention used for other variables in this role),
with a sane _default of the homeserver's own domain. This also lets
group_vars/matrix_servers drop its now-redundant override.

Add a validate_config.yml check requiring the setting to be defined.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:08:26 +03:00
Slavi Pantaleev 05ac6d7a3b Make sure network.api_id is provided as an integer to mautrix-telegram
Otherwise "login phone" results in: "Failed to submit input: send code: rpc error code 400: API_ID_INVALID"
2026-05-22 22:55:15 +03:00
Slavi PantaleevandClaude Opus 4.7 4a026285b5 matrix-tuwunel: update cache_capacity_modifier docs example for v1.7.0
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5262

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 22:20:15 +03:00
Slavi PantaleevandClaude Opus 4.7 8751e34ede matrix-bot-maubot: avoid double slash in base paths when path_prefix is /
The derived `*_base_path` defaults concatenated `matrix_bot_maubot_path_prefix`
directly, producing `//v1` and `//plugin/` when users set the documented
`matrix_bot_maubot_path_prefix: /` (for serving on a dedicated subdomain),
which Traefik rejects. Apply the standard `'/' == path_prefix` guard already
used by other roles (honoroit, mautrix-discord, MAS, heisenbridge, etc.).

Reported by The Dark Wizard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 12:22:15 +03:00
Slavi PantaleevandClaude Opus 4.7 f71080a72a Remove useless group_vars/matrix_servers overrides
These variables were being assigned in group_vars/matrix_servers to
values byte-identical (or functionally identical) to what the
respective role's defaults/main.yml already provides.

Beyond just being noise, such redundant overrides cause drift over
time. When a role's default is later updated to something saner or
better (for example, switched from a hardcoded value to a derivation
from another variable), the matching line in group_vars/matrix_servers
stays frozen at the old value and silently defeats the improvement,
because group_vars beats role defaults in Ansible's precedence order.

The maubot management hostname fix in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5248
is an example of this: the role default had been improved to derive
from matrix_bot_maubot_hostname, but the stale group_vars override
held it back to matrix_server_fqn_matrix.

Removing these overrides lets the role defaults do their job.

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5248

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 09:09:57 +03:00
Slavi PantaleevandClaude Opus 4.7 eb79e2180d Update LiveKit Server role to v1.12.0-0
LiveKit v1.12.0 tightens TURN security: credentials now carry a TTL,
and TURN no longer relays to restricted peer CIDRs by default. The
role defaults match upstream's secure defaults and are appropriate
for typical playbook deployments.

Bumps the migration-validation gate accordingly so users are pointed
at the CHANGELOG entry on next run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 09:25:30 +03:00