mautrix publishes each release under two tag schemes: v0.YYMM.PATCH
(also used for git tags, due to Go's module path requirements for
major versions >= 2) and a calver vYY.MM[.PATCH] scheme that exists
only on the Docker registry.
We switched mautrix-signal to the calver scheme in 3564155a7, which
left it silently stuck at v26.02.2: the calver tags have an
inconsistent number of components (v26.02.2 vs v26.05), and Renovate's
docker versioning only offers updates between tags with the same
number of dot-separated parts. It also broke self-building, which uses
the version as a git ref, and calver tags do not exist in git.
Going back to the v0 scheme (used by all other mautrix bridges) fixes
both problems and upgrades signal from the February release to the
current May one.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The additional-networks connect loop in the kakaotalk systemd unit
template iterated over matrix_appservice_discord_container_additional_networks,
a copy-paste leftover from the discord bridge role. The host-network
guard added in #5310 mirrored the same wrong variable.
This means the kakaotalk container was being connected to the networks
computed for the discord bridge instead of its own, potentially leaving
it without access to its homeserver/database networks depending on the
discord bridge's configuration.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
* feat: support container_network=host across all roles + systemd templates
Mirror the pattern Slavi introduced for matrix-coturn (aafa8f0) across the
fork: every 'Ensure X container network is created' task gets a
'when: <var> not in ["", "host"]' guard so MDAD does not try to
docker_network create a network literally named 'host' (returns 403,
since host is a pre-defined Docker network).
Mirror the same guard in every systemd unit template that does
'ExecStartPre=docker network connect <addnet> <container>' loops over
matrix_<role>_container_additional_networks: skip the connects when the
container is on host networking (where additional --network attaches
are invalid).
Unblocks DiD setups where MDAD-managed containers share their host's
network namespace (matrix-mdad outer compose service joined to central
postgres/openldap networks) to reach external services on the outer
Docker daemon.
* Simplify container network guards (!= 'host') and fix duplicate when
Guarding on the empty string ('') as well was misleading: systemd unit
templates still render an unconditional --network= flag, so an empty
network value produces a broken docker create command. Only 'host' is
actually supported, so only guard on that. This also matches the
existing convention in the Traefik role
(when: traefik_container_network != 'host').
Also fix a duplicate when key in the meshtastic-relay role, where the
network-creation task already had a when condition - the two are now
combined into a list.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---------
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
matrix_livekit_jwt_service_container_repo_version interpolated
livekit_server_version (the LiveKit Server role's version) instead of
this role's own matrix_livekit_jwt_service_version, so self-builds
checked out the wrong git tag.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v0.5.0 makes LIVEKIT_FULL_ACCESS_HOMESERVERS a required setting and
drops the implicit `*` wildcard default upstream.
Split the full-access-homeservers list into _default/_auto/_custom
parts (following the convention used for other variables in this role),
with a sane _default of the homeserver's own domain. This also lets
group_vars/matrix_servers drop its now-redundant override.
Add a validate_config.yml check requiring the setting to be defined.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Introduces the `matrix_synapse_experimental_features_msc4429_enabled`
variable (disabled by default), allowing Synapse to notify clients
using the legacy /sync endpoint of profile changes for other users.
See <https://github.com/matrix-org/matrix-spec-proposals/pull/4429>
Signed-off-by: Norman Ziegner <n.ziegner@hzdr.de>
The derived `*_base_path` defaults concatenated `matrix_bot_maubot_path_prefix`
directly, producing `//v1` and `//plugin/` when users set the documented
`matrix_bot_maubot_path_prefix: /` (for serving on a dedicated subdomain),
which Traefik rejects. Apply the standard `'/' == path_prefix` guard already
used by other roles (honoroit, mautrix-discord, MAS, heisenbridge, etc.).
Reported by The Dark Wizard.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
LiveKit v1.12.0 tightens TURN security: credentials now carry a TTL,
and TURN no longer relays to restricted peer CIDRs by default. The
role defaults match upstream's secure defaults and are appropriate
for typical playbook deployments.
Bumps the migration-validation gate accordingly so users are pointed
at the CHANGELOG entry on next run.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bart van der Braak
renovate[bot]
Slavi Pantaleev
Kevin Veen-Birkenbach
Norman Ziegner
Suguru Hirahara
Suguru Hirahara