Commit Graph
100 Commits
Author SHA1 Message Date
Slavi Pantaleev 446597aac9 Upgrade exim-relay (v4.98.1-r0-2-3 -> v4.99.1-r0-0-0) 2026-03-20 02:41:38 +02:00
Slavi PantaleevandClaude Opus 4.6 b942715469 fix(self-check): respect path_prefix in web client self-check URLs
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5051

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 23:31:13 +02:00
Slavi PantaleevandClaude Opus 4.6 12af6da9d0 matrix-authentication-service: add UNIX socket support for playbook-managed Postgres
MAS now connects to the playbook-managed Postgres via a UNIX socket by
default (when available), matching the approach already used by Synapse.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 01:05:10 +02:00
Slavi Pantaleev f0a5393d48 fix(s3): use postgres unix socket for migrate and shell commands 2026-03-18 15:21:06 +02:00
Slavi Pantaleev 68aca96cbd docs: clarify database_host ignored when postgres sockets are enabled 2026-03-18 15:21:03 +02:00
Slavi Pantaleev a000abdf19 postgres: stop disabling unix socket support 2026-03-17 15:35:02 +02:00
Slavi Pantaleev b596319a4a postgres: drop redundant cli socket override 2026-03-17 15:35:02 +02:00
Slavi Pantaleev f0906e79a9 matrix-synapse: gate postgres sockets on postgres role support 2026-03-17 15:35:02 +02:00
Slavi Pantaleev 2fff4b5b88 matrix-synapse: use clearer socket mount paths 2026-03-17 15:35:02 +02:00
Slavi Pantaleev e09ea540a0 matrix-synapse: prefer local sockets for db connections 2026-03-17 15:35:02 +02:00
Slavi Pantaleev bd614abd30 matrix-synapse: avoid network wiring for socket-based db access 2026-03-17 15:35:02 +02:00
Slavi Pantaleev b6f8a59b50 matrix-synapse: make managed service topology explicit 2026-03-17 15:35:02 +02:00
Slavi Pantaleev f9811a0e0a matrix-authentication-service: mount Synapse Postgres socket for syn2mas
syn2mas reads Synapse's homeserver.yaml and reuses the database
connection details from there.

When Synapse is configured to reach the integrated Postgres over a UNIX socket,
the temporary syn2mas container was given the config file but not the socket mount,
so migrations could fail even though Synapse itself was configured correctly.

Wire the Synapse socket settings into MAS via playbook vars and mount
the same socket path into the syn2mas container, so migrations work in
socket-based deployments without coupling the MAS role directly to
Synapse role variables.
2026-03-16 22:43:02 +02:00
Slavi Pantaleev 1dac2b5c14 matrix-bridge-hookshot: normalize generated passkey ownership
Similar to c6d33b819. See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
2026-03-16 16:50:40 +02:00
Slavi Pantaleev c6d33b819a matrix-authentication-service: normalize generated key ownership
Fix host-generated MAS key ownership and mode after creation so installs recover cleanly when become_user is not honored. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
2026-03-16 16:49:51 +02:00
Slavi Pantaleev 5df7e678f7 matrix-synapse: add an explicit msc4306 feature toggle
Expose Synapse's `msc4306_enabled` experimental flag as a first-class MDAD
variable and wire it into `homeserver.yaml` alongside the other experimental
feature toggles.

This makes thread-subscriptions support explicit in playbook configuration,
rather than requiring operators to inject the upstream flag via raw
`matrix_synapse_configuration_extension_yaml`.

The variable intentionally controls only the Synapse feature flag. It does not
change the default `thread_subscriptions` worker count, which remains `0` in the
standard presets. Keeping those as separate choices avoids auto-starting an
experimental worker just because the upstream feature toggle is enabled.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/config/experimental.py#L600-L602
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/versions.py#L183-L184
2026-03-15 01:26:53 +02:00
Slavi Pantaleev 9af79ce4d2 matrix-synapse: support thread_subscriptions stream writers
Add `thread_subscriptions` as a supported web-facing stream writer in MDAD and
route its unstable client endpoints via the same explicit writer-or-main model
used for the other web-facing stream-backed APIs.

This is not just another generic worker route. Current Synapse gives thread
subscriptions their own `writers.thread_subscriptions` configuration, backs them
with a multi-writer stream, and asserts on store writes that the current
instance is an allowed thread-subscriptions writer.

Explicit early routing is also required here because the subscription endpoint is
room-scoped. In MDAD's specialized-worker model, the existing room-worker regex
would otherwise match `/_matrix/client/unstable/io.element.msc4306/rooms/...`
and steal the request before it reached the correct writer-or-main fallback.

Unlike `device_lists`, support is added without enabling a thread-subscriptions
worker by default in the standard presets. The underlying MSC4306/4308 feature
remains unstable and disabled by default upstream, so the conservative default
is to keep the worker count at `0` and let the new explicit routes fall back to
`main` unless an operator opts in.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/config/workers.py#L175-L182
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/storage/databases/main/thread_subscriptions.py#L66-L83
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/storage/databases/main/thread_subscriptions.py#L192-L322
2026-03-15 01:16:24 +02:00
Slavi Pantaleev 0f687a69c5 matrix-synapse: simplify redundant SSO main-override regexes
MDAD keeps `/_synapse/client/*` out of the broad worker-routing model.
Those paths are mounted by current Synapse on client-serving workers, but MDAD's
worker route buckets only match `/_matrix/client/*`, so `/_synapse/client/*`
requests already fall through to the main-process default.

That made the `/_synapse/client/*` branches in the dedicated SSO override regex
redundant. Remove those branches and leave the explicit SSO override focused on
the real `/_matrix/client/.../login/sso/redirect` path family, which would
otherwise be caught by the broad `/login` client-reader routing.

This also removes duplicated ownership of `login/sso/redirect` from the generic
main-override regex so the dedicated SSO override is the single place that
models that path.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/app/generic_worker.py#L197-L203
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/synapse/client/__init__.py#L39-L90
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/login.py#L636-L643
2026-03-15 01:02:19 +02:00
Slavi Pantaleev ec36904671 matrix-synapse: route MSC3814 dehydrated-device APIs to workers
Add the unstable MSC3814 dehydrated-device endpoints to both MDAD
worker-routing models:

- the specialized client_reader bucket
- the broad generic_worker route list

This is not a docs-driven change. Current workers.md does not meaningfully
spell out these paths, but the current Synapse code does mount them via the
normal devices servlet registration path, and non-main client workers do not
skip that servlet group.

That makes these endpoints a good fit for the same worker buckets that already
handle the surrounding device- and E2EE-related client APIs.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L81-L129
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L179-L197
2026-03-15 00:39:25 +02:00
Slavi Pantaleev 69df322f40 matrix-synapse: split client_reader routes into grouped regexes
The client_reader route bucket had collapsed into one long alternation,
which made small worker-audit edits hard to review. Any endpoint change
rewrote the whole regex and obscured whether we were changing routing
policy or just maintaining the route list.

Refactor the variable into grouped regex entries with comments instead.
This keeps the current specialized-worker policy intact: nginx still
renders the client_reader locations in the same block, and the routes
still target the same upstream bucket. The goal here is to make future
doc/code audits, additions, and removals mechanical and reviewable.

This also matches MDAD's current worker model, where generic workers are
not mixed with the specialized room/sync/client/federation reader
routing buckets, so there is no need to derive this from the generic
worker map.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#historical-apps
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
2026-03-15 00:29:32 +02:00
Slavi Pantaleev c0044a9b0a matrix-synapse: route MatrixRTC transport discovery to workers
Current Synapse registers the MatrixRTC transport discovery endpoint on
client-serving workers when MSC4143 is enabled, but MDAD does not model
that path in either its client-reader bucket or its broader generic-
worker endpoint list.

Add the unstable MatrixRTC transport discovery route so MDAD's worker
routing matches the current upstream worker surface for this endpoint.
This is a small, isolated routing addition for a simple authenticated
GET endpoint.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/matrixrtc.py#L30-L52
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L81-L129
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L179-L197
2026-03-15 00:11:58 +02:00
Slavi Pantaleev 63a0e8216b matrix-synapse: route account deactivation like current Synapse
Current Synapse still documents and registers
`/_matrix/client/.../account/deactivate` on client-serving workers when
auth is not delegated. MDAD already routes neighboring account endpoints
such as `account/3pid` and `account/whoami`, but it omitted
`account/deactivate` from both its client-reader bucket and its broader
generic-worker endpoint list.

Add the missing route patterns so MDAD's worker routing matches the
current upstream worker surface in non-delegated-auth deployments. In
MAS / MSC3861 mode the endpoint is not registered upstream anyway, so
this does not expand the effective delegated-auth surface.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/account.py#L284-L324
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/account.py#L913-L920
2026-03-14 23:49:20 +02:00
Slavi Pantaleev 975f14d2d8 matrix-synapse: route the current Nheko summary endpoint
Synapse currently supports both the deprecated
`/_matrix/client/unstable/im.nheko.summary/rooms/<room>/summary`
route and the recommended
`/_matrix/client/unstable/im.nheko.summary/summary/<room>`
form. MDAD only matched the deprecated shape.

Add the recommended pattern alongside the old one so worker routing
matches the current upstream API surface while preserving backward
compatibility for the deprecated path.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/room.py#L1716-L1728
2026-03-14 23:32:10 +02:00
Slavi Pantaleev d80ef72fbe matrix-synapse: remove stale client-reader residue and refresh worker comment
Current Synapse no longer exposes device management under
`/_matrix/client/.../account/devices`. The live client API shape is
`/devices`, `/devices/{device_id}`, and `/delete_devices`, and
MDAD already routes those real device-list-sensitive endpoints through
explicit device-list handling.

Keeping `account/devices` in the old client-reader regex therefore only
preserves stale route-model residue. While touching the same area,
refresh the `/_synapse/client/*` comment to reflect current Synapse:
client-serving generic workers now mount a meaningful Synapse-specific
client tree there, but MDAD still intentionally keeps those paths out of
its broad worker regexes because they are deployment-sensitive and
auth-sensitive.

Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#historical-apps
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L49-L150
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/synapse/client/__init__.py#L39-L88
2026-03-14 23:31:51 +02:00
Slavi Pantaleev dfe8628fbf matrix-synapse: add routing-focused reverse-proxy access log preset 2026-03-14 02:56:48 +02:00
Slavi Pantaleev a3ff72ebff matrix-synapse: enable push_rules writer in worker presets 2026-03-14 01:50:07 +02:00
Slavi Pantaleev df76b1cd5b matrix-synapse: enable device_lists writer in worker presets 2026-03-14 01:49:45 +02:00
Slavi Pantaleev dafac35a0e matrix-synapse: route stream-backed client endpoints explicitly and add device_lists stream writer support
Some client API endpoints (e.g. keys/upload) are backed by Synapse stream writers and
should not rely on broad worker regexes or route-order fallthrough for correctness.

When explicit per-stream routing is missing, requests may be captured by generic, room, or client_reader workers, instead of:
- going to the configured stream writer
- or to `main` when that stream writer is not enabled

This refactors synapse-reverse-proxy-companion's routing so that web-facing stream-backed endpoint families
are handled explicitly and early, with deterministic writer-or-main fallback.

Add first-class support for the missing `device_lists` stream writer,
generalize the same routing model to `push_rules`,
and remove stale broad-route ownership for device-list-sensitive endpoints.
2026-03-14 01:42:08 +02:00
Slavi Pantaleev d4e8da3e0a Bump default OpenAI text-generation model (gpt-5.2 -> gpt-5.4) 2026-03-11 10:05:46 +02:00
Slavi Pantaleev ac559889f9 Upgrade Sable (v1.6.0-0 -> v1.6.0-1) 2026-03-10 21:50:14 +02:00
Slavi Pantaleev 6b6b74afa9 matrix-synapse-admin: fail when enabled with non-Synapse homeserver 2026-03-08 15:26:21 +02:00
Slavi Pantaleev 677919fc39 Upgrade systemd_service_manager (v3.1.0-0 -> v3.2.0-0) 2026-03-08 14:44:58 +02:00
Slavi Pantaleev df205a2f77 Upgrade baibot (v1.14.3 -> v1.15.0) and adapt to support optional access-token auth mode
Ref:
- https://github.com/etkecc/baibot/pull/83
- https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/CHANGELOG.md#2026-03-07-version-1150
- https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/docs/configuration/authentication.md
2026-03-07 12:43:48 +02:00
Slavi Pantaleev 87a799faa6 Fix Commet variable placement in matrix_servers
Move Commet defaults out of the Element section into a dedicated matrix-client-commet block, and add missing matrix_client_commet_enabled default wiring.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5000
2026-03-03 21:41:48 +02:00
Slavi Pantaleev d5ffc94916 Add support for the Sable client (Cinny fork) 2026-03-03 12:48:59 +02:00
Slavi Pantaleev 4208b4f553 chore: bump livekit role and document TURN relay ports 2026-03-03 09:51:53 +02:00
Slavi Pantaleev 46321552b7 docs(changelog): document Synapse S3 prefix wiring behavior change 2026-03-01 00:49:05 +02:00
Slavi Pantaleev a949605518 Remove duplicate "Project source code URL" from roles/custom/matrix-synapse/defaults/main.yml
This was causing issues when it's parsed out by certain tools.

Regression since 28afbde971
2026-02-26 12:40:45 +02:00
Slavi Pantaleev 28afbde971 Merge Synapse reverse-proxy companion role into matrix-synapse
The companion role was tightly coupled to Synapse through shared tags, worker routing, and lifecycle ordering. Keeping them separate added coordination overhead without practical benefits, especially for parallelized execution.

This merges the role into matrix-synapse while keeping companion logic organized under dedicated reverse_proxy_companion task/template subdirectories.

Compatibility is preserved:
- matrix_synapse_reverse_proxy_companion_* variable names remain unchanged
- install/setup companion-specific tags remain available

Cross-role/global wiring is now in group_vars (matrix-synapse section), while role defaults provide sensible standalone defaults and self-wiring for Synapse-owned values.
2026-02-26 06:51:47 +02:00
Slavi Pantaleev 63b6bf4bc1 Fix Goofys restart guard for non-Synapse setups
Only queue matrix-goofys.service for restart when Synapse is enabled. Goofys is installed from the Synapse role, so non-Synapse homeserver configurations should not try to restart this unit. This mirrors the fix for issue https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4959.
2026-02-25 18:27:47 +02:00
Slavi Pantaleev 39f867a1c9 Fix S3 migration timer restart guard for non-Synapse setups
Only queue matrix-synapse-s3-storage-provider-migrate.timer for restart when Synapse is actually enabled. This prevents setup/install failures when a Synapse-only extension flag is set while using another homeserver implementation, as reported in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4959.
2026-02-25 18:21:30 +02:00
Slavi Pantaleev 2e7e034d3a Document room complexity guard for constrained Synapse setups 2026-02-21 18:02:24 +02:00
Slavi Pantaleev 2c29027868 Add configurable Synapse room complexity limit variables 2026-02-21 17:44:31 +02:00
Slavi Pantaleev 1718181ff4 Do not auto-enable Coturn by default
With everything moving to Matrix RTC and Element X on mobile not
supporting legacy calls, most people probably don't need Coturn
auto-enabled.
2026-02-21 17:16:29 +02:00
Slavi Pantaleev f1d1c50106 Update changelog entry heading for better clarity 2026-02-21 16:33:37 +02:00
Slavi Pantaleev b55444e44f LiveKit TURN docs clarity update 2026-02-21 16:30:56 +02:00
Slavi Pantaleev f96dcff028 LiveKit TURN docs and defaults update 2026-02-21 16:20:07 +02:00
Slavi Pantaleev c6cd76e988 Define matrix-corporal's systemd service manager priority in terms of matrix_homeserver_systemd_service_manager_priority
Related to 4761ff7e9a
2026-02-21 15:50:00 +02:00
Slavi Pantaleev 4761ff7e9a Align homeserver/coturn service priorities to avoid first-start cert race
The startup issue came from a timing dependency around coturn TLS certs:

- `matrix-coturn.service` depends on
  `matrix-traefik-certs-dumper-wait-for-domain@<matrix-fqdn>.service`
- That waiter succeeds only after Traefik has obtained and dumped a cert for
  the Matrix hostname (typically driven by homeserver labels/routes becoming
  active)
- If coturn is started too early, it can block/fail waiting for cert files
  that are not yet present

Historically, coturn priority was mode-dependent:

- `one-by-one`: coturn at 1500 (delayed after homeserver)
- other modes: coturn at 900 (before homeserver)

This could still trigger undesirable startup ordering and confusing behavior
in non-`one-by-one` modes, especially during initial bootstrap/restart flows
where cert availability lags service startup.

This change makes ordering explicit and consistent:

1. Introduce `matrix_homeserver_systemd_service_manager_priority` (default 1000)
   in `roles/custom/matrix-base/defaults/main.yml`.
2. Use that variable for the homeserver service entry in
   `group_vars/matrix_servers`.
3. Set coturn priority relative to homeserver priority in all modes:
   `matrix_homeserver_systemd_service_manager_priority + 500`.
4. Update inline documentation comments in `group_vars/matrix_servers` to
   match the new behavior and rationale.

Result:

- Homeserver/coturn ordering is deterministic and mode-agnostic.
- Coturn is intentionally started later than the homeserver by default,
  reducing first-start certificate wait/fail races.
- Priority intent is now centralized and configurable via a dedicated
  homeserver priority variable.
- Coturn may still be stated earlier, because the homeserver typically
  has a `Wants` "dependency" on it, but that's alright
2026-02-20 23:55:31 +02:00
Slavi Pantaleev 976d2c4cd0 fix(matrix-static-files): restore /.well-known serving with static-web-server v2.41.0
Users reported that /.well-known/matrix/* stopped being served after the image bump to static-web-server v2.41.0.

Regression introduced by commit 32aeaca28b in PR #4951: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4951

Root cause: upstream changed hidden-file handling defaults, so paths under /.well-known were treated as hidden and no longer served by default.

Fix by explicitly configuring SERVER_IGNORE_HIDDEN_FILES=false in the matrix-static-files role and rendering it as a JSON boolean in the env template, making behavior stable across upstream default changes.
2026-02-20 13:11:16 +02:00
Slavi Pantaleev a1dc468004 Have the Synapse healthcheck be more patient to accommodate slow servers 2026-02-19 13:49:17 +02:00
Slavi PantaleevandClaude Opus 4.6 ff2a0be559 Rename matrix_s3_goofys _docker_image vars to _container_image
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 10:36:17 +02:00
Slavi PantaleevandClaude Opus 4.6 23203ff9d3 Bump backup_borg and postgres roles, update variable references
backup_borg v1.4.3-2.1.1-0 -> v1.4.3-2.1.1-1 (docker -> container rename)
postgres v18.2-1 -> v18.2-2 (pgloader docker -> container rename)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 10:14:41 +02:00
Slavi PantaleevandClaude Opus 4.6 ca2b6b0a27 Rename _docker_ vars to _container_ for kakaotalk, telegram, synapse
These three roles have multiple variable prefixes each:
- kakaotalk: matrix_appservice_kakaotalk + matrix_appservice_kakaotalk_node
- telegram: matrix_mautrix_telegram + matrix_mautrix_telegram_lottieconverter
- synapse: matrix_synapse + matrix_synapse_customized + matrix_synapse_rust_synapse_compress_state

For each: renamed _docker_image* to _container_image* (and _docker_src*,
_docker_repo* where applicable), added deprecation entries in
validate_config.yml, updated group_vars references, and moved
deprecation tasks to the front of validate_config.yml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 09:48:38 +02:00
Slavi PantaleevandClaude Opus 4.6 f0e0f5ec56 Rename _docker_ vars to _container_ across 34 roles
Roles affected: appservice-discord, appservice-irc, beeper-linkedin,
heisenbridge, hookshot, mautrix-bluesky, mautrix-discord,
mautrix-gmessages, mautrix-googlechat, mautrix-signal, mautrix-slack,
mautrix-twitter, mautrix-whatsapp, mautrix-wsproxy, mx-puppet-groupme,
mx-puppet-steam, postmoogle, sms, steam, cactus-comments, element,
fluffychat, schildichat, conduit, corporal, dendrite,
ldap-registration-proxy, media-repo, pantalaimon,
prometheus-nginxlog-exporter, registration, sygnal, synapse-admin,
user-verification-service.

For each role: renamed _docker_image* variables to _container_image*
(and _docker_src_files_path to _container_src_files_path where
applicable), added deprecation entries in validate_config.yml, and
updated group_vars/docs references.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:21:13 +02:00
Slavi PantaleevandClaude Opus 4.6 78d9f725b3 Rename matrix-bot-mjolnir _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 acf3d72c47 Rename matrix-bot-maubot _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 9d4ec45e72 Rename matrix-bot-matrix-reminder-bot _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 bca2c43368 Rename matrix-bot-matrix-registration-bot _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 528a32f6c1 Rename matrix-bot-honoroit _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 893e90a65f Rename matrix-bot-draupnir _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 426839c287 Rename matrix-bot-buscarron _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 51a357133b Rename matrix-appservice-draupnir-for-all _docker_ vars to _container_
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 dbc71fccf7 Fix Renovate depName for Continuwuity to use the actual Docker image name
The previous depName (forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/)
was a Forgejo web UI path, not the Docker image name. Renovate's docker datasource
needs the image name as used in `docker pull`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi Pantaleev f2ebc00e22 Pin Continuwuity version (main -> v0.5.5) 2026-02-18 08:16:07 +02:00
Slavi PantaleevandClaude Opus 4.6 669490f18e Refactor Continuwuity role: add version variable and rename docker to container
Add matrix_continuwuity_version with container_image_tag inheriting from it.
Rename all _docker_image* variables to _container_image* with deprecation notices.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 08:16:07 +02:00
Slavi Pantaleev 8a3017c964 Upgrade Cinny (v4.10.2-2 -> v4.10.3-0) 2026-02-16 14:34:08 +02:00
Slavi Pantaleev d620fa3b69 Fix typo 2026-02-15 11:56:26 +02:00
Slavi Pantaleev 956d2d81a5 Upgrade systemd_service_manager (v3.0.0-0 -> v3.0.0-1) 2026-02-14 21:56:31 +02:00
Slavi PantaleevandClaude Opus 4.6 985740e89d Add conditional restart support to remaining services
Add change-tracking and restart_necessary computation for:
- matrix-authentication-service (custom role in this repo)
- container-socket-proxy, traefik-certs-dumper, postgres, exim-relay,
  cinny, livekit-server (external roles, bumped in requirements.yml)

Wire all 7 services in group_vars to use their _restart_necessary variable
instead of hardcoded true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 16:21:36 +02:00
Slavi PantaleevandClaude Opus 4.6 0d86610cbe Add conditional restart support to service roles
Track config/image/systemd changes via register: directives and compute
a _restart_necessary variable for each service role, allowing the
systemd_service_manager to skip unnecessary restarts during install-* runs.

Covers 22 service roles: alertmanager-receiver, appservice-draupnir-for-all,
bridge-mautrix-wsproxy (+ syncproxy), cactus-comments, cactus-comments-client,
corporal, element-admin, ldap-registration-proxy, livekit-jwt-service, matrixto,
pantalaimon, prometheus-nginxlog-exporter, rageshake, registration, static-files,
sygnal, synapse-admin, synapse-auto-compressor, synapse-reverse-proxy-companion,
synapse-usage-exporter, and user-verification-service.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 16:01:46 +02:00
Slavi PantaleevandClaude Opus 4.6 16010ff8c7 Add conditional restart support to client, bot, and bridge roles
For each of the 34 roles (3 clients, 9 bots, 22 bridges), this commit:
- Adds `_restart_necessary: false` default variable
- Adds `register:` directives to config/image/systemd tasks
- Computes `_restart_necessary` via set_fact (OR of all .changed results)
- Wires `(_restart_necessary | bool)` in group_vars/matrix_servers

This allows the systemd service manager to skip unnecessary restarts
when running install-* tags and nothing actually changed.

Service roles and complex multi-service roles will follow separately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 15:33:54 +02:00
Slavi PantaleevandClaude Opus 4.6 6da1223500 Rename _requires_restart to _migration_requires_restart across all custom roles
These variables track whether a database migration necessitates a service
restart. The new name avoids confusion with the conditional restart
feature introduced in af193043/9accc848/4a8df138, where
devture_systemd_service_manager handles restarting services whose
configuration or image changed. The old _requires_restart name was
ambiguous — it could be mistaken for the systemd_service_manager
mechanism — so _migration_requires_restart makes the purpose explicit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 14:46:06 +02:00
Slavi PantaleevandClaude Opus 4.6 4a8df13854 Auto-detect conditional restart based on playbook tags and add CHANGELOG entry
- Override devture_systemd_service_manager_conditional_restart_enabled in
  group_vars based on ansible_run_tags: disabled when setup-* tags are used,
  enabled otherwise. This replaces the --extra-vars hack in the justfile and
  ensures consistent behavior for both `just` and raw `ansible-playbook` users.
- Revert justfile setup-all to its original form (no --extra-vars needed).
- Update docs/just.md to reflect tag-agnostic behavior.
- Add CHANGELOG.md entry documenting the conditional restart feature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 14:21:07 +02:00
Slavi PantaleevandClaude Opus 4.6 9accc848c4 Wire conditional restart for Traefik and update setup-all to force restarts
- Traefik's service list entry now uses the `traefik_restart_necessary`
  variable (computed by the Traefik role) instead of hardcoded `true`,
  so it is only restarted when its config, systemd unit, or image changed.

- `just setup-all` now passes
  `devture_systemd_service_manager_conditional_restart_enabled=false`
  to force unconditional restarts, matching its "full setup" semantics.

- Document the conditional restart behavior in docs/just.md.

Some benchmarks follow for `just install-service traefik -l matrix.example.com`
when Traefik settings did not change and a restart is not really necessary:

- Before:
  - total time: 56 seconds 🐌
  - Traefik restarted: yes 
  - Services that depend on Traefik restarted: yes; all of them restarted 

- After:
  - total time: 27 seconds 
  - Traefik restarted: no 
  - Services that depend on Traefik restarted: no; none restarted 

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 12:32:02 +02:00
Slavi Pantaleev af193043ab Upgrade Traefik (v2.0.0-2 -> v3.0.0-0) - adding support for conditional restarting 2026-02-13 12:32:02 +02:00
Slavi Pantaleev 452d54b53f Upgrade Traefik (v3.6.8-2 -> v3.6.8-3) - adding support for conditional restarting 2026-02-13 12:32:02 +02:00
Slavi PantaleevandGitHub 47bf99af7a Merge pull request #4914 from krejcar25/fix/matrix_synapse_wait_seconds_type
Fix regression introduced in a77a875
2026-02-12 12:31:03 +02:00
Slavi Pantaleev 0b5ef18d1c Upgrade systemd_service_manager (v2.0.0-1 -> v2.0.0-2) 2026-02-12 09:41:19 +02:00
Slavi Pantaleev 014380eecd Upgrade Traefik (v3.6.8-1 -> v3.6.8-2) 2026-02-12 01:04:06 +02:00
Slavi PantaleevandClaude Opus 4.6 a77a8753d9 Derive Synapse post-start delay from Traefik's providersThrottleDuration
After Synapse's systemd health check passes, Traefik still needs
providers.providersThrottleDuration to register routes. Derive the
post-start delay from this setting (+1s for healthcheck polling gap)
instead of using a hardcoded value. Defaults to 0 when no Traefik
reverse proxy is used.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 00:54:46 +02:00
Slavi Pantaleev 9569633164 Upgrade Traefik (v3.6.8-0 -> v3.6.8-1) 2026-02-12 00:48:13 +02:00
Slavi PantaleevandClaude Opus 4.6 9d9e9e9177 Use docker inspect for Synapse systemd health check and lower health interval
Switch the systemd ExecStartPost health check from docker exec + curl
to polling docker inspect for container health status. This piggybacks
on the container image's built-in HEALTHCHECK instead of duplicating it.

Also add a configurable container health interval (5s for Traefik setups,
15s otherwise) to speed up startup readiness detection without affecting
non-Traefik deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 00:13:02 +02:00
Slavi PantaleevandClaude Opus 4.6 bcddeda5df Make traefik-certs-dumper require the Traefik service to avoid race condition
When both services restart simultaneously (e.g. in all-at-once mode),
Traefik may momentarily truncate or reinitialize acme.json, causing
the certs dumper to read an empty file and panic. By adding
Requires/After on the Traefik service, the certs dumper only starts
after Traefik is fully ready and acme.json is stable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 00:11:28 +02:00
Slavi Pantaleev 59e70b8ca9 Add systemd-healthcheck to Synapse systemd service in an effort to increase reliability (of Synapse-dependant services)
Previously, we had a 10-second magical delay.

Now we first do a healthcheck to figure out when it really is up.
Then, we do the same 10-second magical delay to account for the time it
may take for a reverse-proxy (like Traefik) to pick up Synapse's routes.
2026-02-11 23:32:33 +02:00
Slavi Pantaleev f8815c0bb9 Upgrade systemd_service_manager (v2.0.0-0 -> v2.0.0-1) 2026-02-11 23:31:13 +02:00
Slavi Pantaleev 2fad873b42 Make addon systemd services depend on the homeserver systemd service as well, not just on Traefik
Addons typically access the homeserver via Traefik, but requests
ultimately lead to the homeserver and it'd better be up or Traefik would
serve a "404 Not Found" error.

This is an attempt (one of many pieces) to make services more reliable,
especially when `devture_systemd_service_manager_service_restart_mode: all-at-once` is used
(which is the default).
2026-02-11 23:27:09 +02:00
Slavi Pantaleev 294cd109fd Upgrade Traefik (v3.6.7-1 -> v3.6.8-0) 2026-02-11 23:26:13 +02:00
Slavi PantaleevandClaude Opus 4.6 9d6c8eabcb Fix swapped Requires=/Wants= directives in Draupnir and Mjolnir systemd service templates
Commit 593b3157b ("Fix systemd service Wants for mjolnir and draupnir")
accidentally swapped the variable loops: `systemd_wanted_services_list`
ended up generating `Requires=`/`After=` directives and
`systemd_required_services_list` ended up generating `Wants=` directives —
the opposite of what the variable names mean and how every other
bot/bridge service template in the playbook works.

This caused these bots to only `Wants=` (not `Requires=`/`After=`) their
dependencies like matrix-traefik.service, so systemd didn't guarantee
ordering. During all-at-once restarts, the bots would start before traefik
was ready, fail with DNS resolution errors, and crash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 18:54:41 +02:00
Slavi Pantaleev dd26f8a12a Add systemd dependencies to s3-storage-provider-migrate service
The migrate service now declares Requires/After on matrix-synapse.service,
ensuring Synapse (and its transitive dependencies like Postgres and Docker)
are running before the migration triggers.
2026-02-11 16:50:29 +02:00
Slavi Pantaleev ecf9befc32 Adapt to the all-at-once restart mode default in systemd_service_manager v2.0.0-0
- `install-service` no longer forces `one-by-one` restart mode

- the coturn priority condition is flipped: only `one-by-one` mode
  needs the delayed priority (1500); all other modes (including
  the new `all-at-once` default) use the normal priority (900)

Ref:

- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/commit/d42cd9204548d47c1368badc9b152f4261093398
- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/blob/f3e658cca3b41d3aedc81aa77cf22bafd9ca4d0f/docs/restart-mode-comparison.md
- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/commit/36445fb41931c6baa3c44818877def4a162e5db4
- 750cb7e29e
2026-02-10 16:41:41 +02:00
Slavi Pantaleev 750cb7e29e Upgrade systemd_service_manager (v1.1.0-0 -> v2.0.0-0) 2026-02-10 16:21:57 +02:00
Slavi Pantaleev ace086056f Upgrade Postgres (v18.1-4 -> v18.1-5) 2026-02-09 21:24:48 +02:00
Slavi PantaleevandClaude Opus 4.6 0e8ef8ef10 Add retry logic for Synapse user registration on Connection refused
When DB credentials change (derived from matrix_synapse_macaroon_secret_key),
a running Synapse container may fail to connect to its database and stop
serving requests. This causes register_new_matrix_user to fail with
"Connection refused" when the matrix-user-creator role tries to register users.

This extends the retry logic from 44b43a51b (which handled HMAC failures)
to also handle Connection refused errors: restart Synapse (picking up the
new config with updated credentials), wait for it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 17:36:59 +02:00
Slavi PantaleevandClaude Opus 4.6 2c2738a48f Remove passlib dependency by making matrix-media-repo datastore IDs user-provided
These IDs were incorrectly auto-derived from matrix_homeserver_generic_secret_key,
which is meant for secrets that are OK to change. Datastore IDs are static
identifiers that must never change after first use.

The playbook now requires users to explicitly set matrix_media_repo_datastore_file_id
(and matrix_media_repo_datastore_s3_id when S3 is enabled) in vars.yml, with
validation that fails early if they are missing.

This was the last usage of passlib, which is now removed from prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 16:56:51 +02:00
Slavi PantaleevandClaude Opus 4.6 44b43a51b9 Add retry logic for Synapse user registration on HMAC failure
When the registration_shared_secret changes (derived from
matrix_synapse_macaroon_secret_key), a running Synapse container still
has the old secret in its config. This causes register_new_matrix_user
to fail with "HMAC incorrect" when the matrix-user-creator role tries
to register users.

This mirrors the approach from 2a581cce (which added similar retry
logic for the Matrix Authentication Service on database auth failure):
if the initial registration attempt fails with an HMAC error, restart
Synapse (picking up the new config with the updated secret), wait for
it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 06:29:14 +02:00
Slavi Pantaleev 92c204394a Upgrade Postgres (v18.1-3 -> v18.1-4) 2026-02-08 18:46:36 +02:00
Slavi Pantaleev a1015b6df2 Change salt for Whatsapp token secrets to make pre-commit happy 2026-02-08 18:43:10 +02:00
Slavi PantaleevandClaude Opus 4.6 2a581cce62 Add retry logic for MAS user registration on database auth failure
When the Postgres role updates database passwords (e.g., due to a
change in the secret derivation method), the Matrix Authentication
Service container may still be running with old configuration that
references the previous password. This causes mas-cli to fail with
"password authentication failed" when the matrix-user-creator role
tries to register users.

Rather than adding config-change detection or eager restarts to the
MAS role, this adds targeted retry logic: if the initial registration
attempt fails with a database authentication error, restart the MAS
service (which picks up the new config with the updated password),
wait for it to start, and retry. The restart usually only triggers
once per run since subsequent user registrations succeed after the restart.

Related to c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 18:32:20 +02:00
Slavi PantaleevandClaude Opus 4.6 c21a80d232 Switch to fast single-round hashing for derived secrets
Replace password_hash('sha512', rounds=655555) with hash('sha512')
for all 114 secret derivations in group_vars/matrix_servers.

The old method (655k rounds of SHA-512) was designed for protecting
low-entropy human passwords in /etc/shadow. For deriving secrets
from a high-entropy secret key, a single hash round is equally
secure - the security comes from the key's entropy, not the
computational cost. SHA-512 remains preimage-resistant regardless
of rounds.

This yields a major performance improvement: evaluating
postgres_managed_databases (which references multiple derived
database passwords) dropped from ~10.7s to ~0.6s on a fast mini
PC. The Postgres role evaluates this variable multiple times, and
other roles reference derived passwords too, so the cumulative
savings across a full playbook run are substantial.

All derived service passwords (database passwords, appservice
tokens, etc.) will change on the next run. The main/superuser
database password is not affected (it's hardcoded in inventory
variables). All services receive their new passwords in the same
run, so this should be seamless.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 18:15:02 +02:00