mautrix-meta-messenger: expose bridge HTTP API (for mautrix-manager and similar)

Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-messenger`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -1,3 +1,19 @@
+# 2026-06-28
+
+## baibot now supports Venice, our recommended provider
+
+[baibot](./docs/configuring-playbook-bot-baibot.md) now ships a preset for the [Venice](./docs/configuring-playbook-bot-baibot.md#venice) provider, and it's the one we recommend. It's the most capable provider baibot supports (text generation with vision, file inputs and web search, speech-to-text, text-to-speech, and image generation and editing), and the only one that runs inference with no logging and no training on your data.
+
+Enabling it takes a preset toggle and an API key:
+
+```yaml
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: true
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: "YOUR_API_KEY_HERE"
+```
+
+[OpenAI](https://openai.com/) and baibot's other providers remain fully supported. To get started, see the [Setting up baibot](./docs/configuring-playbook-bot-baibot.md#venice) documentation page.
+
 # 2026-06-24
 
 ## Support for bridging to iMessage via RustPush

docs/configuring-playbook-bot-baibot.md

@@ -14,7 +14,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 🤖 [baibot](https://github.com/etkecc/baibot) (pronounced bye-bot) is a [Matrix](https://matrix.org/) bot developed by [etke.cc](https://etke.cc/) that exposes the power of [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) to you. 🤖
 
-It supports [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) models, as many well as other [☁️ providers](https://github.com/etkecc/baibot/blob/main/docs/providers.md).
+It supports many [☁️ providers](https://github.com/etkecc/baibot/blob/main/docs/providers.md), including the privacy-first [Venice](#venice) we recommend, [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) models, and more.
 
 It's designed as a more private and [✨ featureful](https://github.com/etkecc/baibot/?tab=readme-ov-file#-features) alternative to [matrix-chatgpt-bot](./configuring-playbook-bot-chatgpt.md). See the [baibot](https://github.com/etkecc/baibot) project and its documentation for more information.
 
@@ -159,7 +159,38 @@ Agents defined statically and those created dynamically (via chat) are named dif
 
 Depending on your propensity for [GitOps](https://en.wikipedia.org/wiki/DevOps#GitOps), you may prefer to define agents statically via Ansible, or you may wish to do it dynamically via chat.
 
-Before proceeding, we recommend reading the upstream documentation on [How to choose a provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#how-to-choose-a-provider). In short, it's probably best to go with [OpenAI](#openai).
+Before proceeding, we recommend reading the upstream documentation on [How to choose a provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#how-to-choose-a-provider) for a side-by-side of what each one can do. In short: we recommend [Venice](#venice), the most capable provider baibot supports and the only one that keeps no logs and trains on nothing. If you'd rather start with the most widely-used option, [OpenAI](#openai) is a solid, well-supported choice too.
+
+#### Venice
+
+[Venice](https://venice.ai/chat?ref=kpXDe6) _(ref link with a $10 bonus for you)_ is the provider we recommend. It's the most capable one baibot supports, and the only one that pairs that full feature set with real privacy: inference runs on Venice's own GPUs or on zero-data-retention partner hardware, so your prompts and replies are stored nowhere and never used for training. It serves both frontier proprietary models and the latest open-source ones.
+
+Venice also leaves the content policy to you instead of imposing its own. Its models answer without the reflexive refusals some hosted services apply, and both text and image generation can handle adult or otherwise sensitive subjects when you need them to. Image generation ships a `safe_mode` that blurs adult content by default; you can turn it off (see the sample config). This pairs naturally with the privacy above: a bot you can speak to candidly, that keeps nothing.
+
+Unlike the [OpenAI Compatible](#openai-compatible) provider (which can also point at Venice, but drops images and can't reach its audio or native image endpoints), this is a first-class integration that exposes Venice's full parameter set: text-generation with vision, file inputs, prompt caching and native web search, plus speech-to-text, text-to-speech, and image generation and editing.
+
+You can statically-define a single [🤖 agent](https://github.com/etkecc/baibot/blob/main/docs/agents.md) instance powered by the [Venice provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#venice) with the help of the playbook's preset variables.
+
+Here's an example **addition** to your `vars.yml` file:
+
+```yaml
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: true
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: "YOUR_API_KEY_HERE"
+
+# The preset ships sensible defaults for every purpose, so changing only the API key above is enough
+# to get going. Uncomment and adjust any of these if you'd like to use different models:
+# matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id: kimi-k2-5
+# matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id: chroma
+```
+
+Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/venice`.
+
+Every Venice knob (sampling, caching, reasoning, web-search behavior, voice and image controls) has a matching `matrix_bot_baibot_config_agents_static_definitions_venice_config_*` variable. The [fully-commented sample config](https://github.com/etkecc/baibot/blob/main/docs/sample-provider-configs/venice.yml) explains every one of them.
+
+If you'd like to use more than one model, take a look at the [Configuring additional agents (without a preset)](#configuring-additional-agents-without-a-preset) section below.
+
+💡 You may also wish to use this new agent for [🤝 Configuring initial default handlers](#-configuring-initial-default-handlers).
 
 #### Anthropic
 
@@ -374,7 +405,7 @@ Example **additional** `vars.yml` configuration:
 # As such, changing any of these values subsequently has no effect on the bot's behavior.
 # Once initially configured, the global configuration is managed via bot commands, not via Ansible.
 
-matrix_bot_baibot_config_initial_global_config_handler_catch_all: static/openai
+matrix_bot_baibot_config_initial_global_config_handler_catch_all: static/venice
 
 # In this example, there's no need to define any of these below.
 # Configuring the catch-all purpose handler is enough.

docs/configuring-playbook-ketesa.md

@@ -13,14 +13,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 # Setting up Ketesa (optional)
 
-The playbook can install and configure [Ketesa](https://github.com/etkecc/ketesa) for you.
+The playbook can install and configure [Ketesa](https://ketesa.app) ([source code](https://github.com/etkecc/ketesa)) for you.
 
 Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support. See the [Ketesa v1.0.0 announcement](https://etke.cc/blog/introducing-ketesa/) for a full overview of what's new.
 
 >[!NOTE]
 >
 > - Ketesa does not work with other homeserver implementations than Synapse due to API's incompatibility.
-> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [admin.etke.cc](https://admin.etke.cc/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
+> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [cloud.ketesa.app](https://cloud.ketesa.app/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
 > - This playbook also supports an alternative management UI in the shape of [Element Admin](./configuring-playbook-element-admin.md). Please note that it's currently less feature-rich than Ketesa and requires [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md).
 
 ## Adjusting DNS records (optional)

docs/configuring-playbook.md

@@ -190,7 +190,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 
 Bots provide various additional functionality to your installation.
 
-- [Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))
+- [Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services (the privacy-first [Venice](configuring-playbook-bot-baibot.md#venice) we recommend, [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/), and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))
 
 - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff
 

group_vars/matrix_servers

@@ -1471,6 +1471,11 @@ matrix_mautrix_bluesky_metrics_proxying_enabled: "{{ matrix_mautrix_bluesky_metr
 matrix_mautrix_bluesky_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_bluesky_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-bluesky"
 
+matrix_mautrix_bluesky_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_bluesky_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_bluesky_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_bluesky_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/bluesky"
+
 matrix_mautrix_bluesky_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_mautrix_bluesky_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.twt.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
 
@@ -1829,6 +1834,11 @@ matrix_mautrix_signal_metrics_proxying_enabled: "{{ matrix_mautrix_signal_metric
 matrix_mautrix_signal_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_signal_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-signal"
 
+matrix_mautrix_signal_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_signal_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_signal_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_signal_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/signal"
+
 matrix_mautrix_signal_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_signal_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_mautrix_signal_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.signal.db') | hash('sha512') | to_uuid }}"
@@ -1889,6 +1899,7 @@ matrix_mautrix_meta_messenger_appservice_token: "{{ (matrix_homeserver_generic_s
 matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 
 matrix_mautrix_meta_messenger_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.hs') | hash('sha512') | to_uuid }}"
+matrix_mautrix_meta_messenger_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.prov') | hash('sha512') | to_uuid }}"
 
 matrix_mautrix_meta_messenger_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 
@@ -1907,6 +1918,11 @@ matrix_mautrix_meta_messenger_metrics_proxying_enabled: "{{ matrix_mautrix_meta_
 matrix_mautrix_meta_messenger_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_meta_messenger_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-meta-messenger"
 
+matrix_mautrix_meta_messenger_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_meta_messenger_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_meta_messenger_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_meta_messenger_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/meta-messenger"
+
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_meta_messenger_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite3-fk-wal' }}"
@@ -1967,6 +1983,7 @@ matrix_mautrix_meta_instagram_appservice_token: "{{ (matrix_homeserver_generic_s
 matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 
 matrix_mautrix_meta_instagram_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.ig.hs') | hash('sha512') | to_uuid }}"
+matrix_mautrix_meta_instagram_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.ig.prov') | hash('sha512') | to_uuid }}"
 
 matrix_mautrix_meta_instagram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 
@@ -1985,6 +2002,11 @@ matrix_mautrix_meta_instagram_metrics_proxying_enabled: "{{ matrix_mautrix_meta_
 matrix_mautrix_meta_instagram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_meta_instagram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-meta-instagram"
 
+matrix_mautrix_meta_instagram_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_meta_instagram_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_meta_instagram_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_meta_instagram_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/meta-instagram"
+
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_meta_instagram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite3-fk-wal' }}"
@@ -2064,6 +2086,11 @@ matrix_mautrix_telegram_metrics_proxying_enabled: "{{ matrix_mautrix_telegram_me
 matrix_mautrix_telegram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_telegram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-telegram"
 
+matrix_mautrix_telegram_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_telegram_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_telegram_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_telegram_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/telegram"
+
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_telegram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_telegram_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
@@ -2140,6 +2167,11 @@ matrix_mautrix_twitter_metrics_proxying_enabled: "{{ matrix_mautrix_twitter_metr
 matrix_mautrix_twitter_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_twitter_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-twitter"
 
+matrix_mautrix_twitter_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_twitter_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_twitter_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_twitter_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/twitter"
+
 matrix_mautrix_twitter_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_mautrix_twitter_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.twt.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
 
@@ -2195,6 +2227,8 @@ matrix_mautrix_gmessages_appservice_token: "{{ (matrix_homeserver_generic_secret
 matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_gmessages_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':gmessa.hs.token') | hash('sha512') | to_uuid }}"
 
+matrix_mautrix_gmessages_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':gmessa.prov') | hash('sha512') | to_uuid }}"
+
 matrix_mautrix_gmessages_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 
 matrix_mautrix_gmessages_double_puppet_secrets_auto: |-
@@ -2212,6 +2246,11 @@ matrix_mautrix_gmessages_metrics_proxying_enabled: "{{ matrix_mautrix_gmessages_
 matrix_mautrix_gmessages_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_gmessages_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-gmessages"
 
+matrix_mautrix_gmessages_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_gmessages_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_gmessages_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_gmessages_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/gmessages"
+
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_gmessages_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
@@ -2376,6 +2415,7 @@ matrix_mautrix_whatsapp_appservice_token: "{{ (matrix_homeserver_generic_secret_
 
 matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_whatsapp_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':wa.hs.token') | hash('sha512') | to_uuid }}"
+matrix_mautrix_whatsapp_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':wa.prov') | hash('sha512') | to_uuid }}"
 
 matrix_mautrix_whatsapp_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 
@@ -2394,6 +2434,11 @@ matrix_mautrix_whatsapp_metrics_proxying_enabled: "{{ matrix_mautrix_whatsapp_me
 matrix_mautrix_whatsapp_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_whatsapp_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-whatsapp"
 
+matrix_mautrix_whatsapp_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_whatsapp_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_whatsapp_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_whatsapp_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/whatsapp"
+
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_whatsapp_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"

requirements.yml

@@ -42,10 +42,10 @@
   version: v11031-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.13.1-0
+  version: v1.13.2-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.24.0-0
+  version: v2.25.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4

roles/custom/matrix-base/defaults/main.yml

@@ -54,6 +54,15 @@ matrix_bridges_msc4190_enabled: "{{ matrix_authentication_service_enabled and ma
 # Global var for enabling bridge self-signing ( On supported bridges)
 matrix_bridges_self_sign_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 
+# Global vars for exposing bridges' HTTP API publicly on the Matrix domain.
+# This is used by tools like mautrix-manager (https://github.com/mautrix/manager) to drive bridge login.
+# Each supported bridge's HTTP endpoint is exposed under `<path_prefix>/<bridge>` (e.g. `/bridges/gmessages`).
+# Requests are authenticated by the bridge itself (e.g. per-user Matrix access token for the provisioning API,
+# or the homeserver token for the appservice endpoints), not by us.
+matrix_bridges_exposure_enabled: true
+matrix_bridges_exposure_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_bridges_exposure_path_prefix: /bridges
+
 # Global var to enable/disable relay mode across all bridges with relay mode support
 matrix_bridges_relay_enabled: false
 

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.23.1
+matrix_bot_baibot_version: v1.24.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -200,6 +200,12 @@ matrix_bot_baibot_config_agents_static_definitions_auto: |-
         'provider': matrix_bot_baibot_config_agents_static_definitions_openai_provider,
         'config': matrix_bot_baibot_config_agents_static_definitions_openai_config,
     }] if matrix_bot_baibot_config_agents_static_definitions_openai_enabled else [])
+    +
+    ([{
+        'id': matrix_bot_baibot_config_agents_static_definitions_venice_id,
+        'provider': matrix_bot_baibot_config_agents_static_definitions_venice_provider,
+        'config': matrix_bot_baibot_config_agents_static_definitions_venice_config,
+    }] if matrix_bot_baibot_config_agents_static_definitions_venice_enabled else [])
   }}
 matrix_bot_baibot_config_agents_static_definitions_custom: []
 
@@ -442,6 +448,175 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generatio
 ########################################################################################
 
 
+########################################################################################
+#                                                                                      #
+# Venice agent configuration                                                           #
+#                                                                                      #
+########################################################################################
+
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: false
+matrix_bot_baibot_config_agents_static_definitions_venice_id: venice
+matrix_bot_baibot_config_agents_static_definitions_venice_provider: venice
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml | from_yaml | combine(matrix_bot_baibot_config_agents_static_definitions_venice_config_extension, recursive=True) }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml: "{{ lookup('template', 'templates/provider/venice-config.yml.j2') }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_extension: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml | from_yaml if matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml | from_yaml is mapping else {} }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml: |
+  # Your custom YAML configuration for this provider's configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_bot_baibot_config_agents_static_definitions_venice_config`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml`.
+  #
+  # The fully-commented sample config (every Venice knob, with explanations) lives at:
+  # https://github.com/etkecc/baibot/blob/main/docs/sample-provider-configs/venice.yml
+  #
+  # Example configuration extension follows:
+  #
+  # text_generation:
+  #   venice_parameters:
+  #     enable_web_search: "off"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_base_url: https://api.venice.ai/api/v1
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: ""
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_enabled: true
+# For valid model choices, see: https://docs.venice.ai/models/overview
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id: kimi-k2-5
+# The prompt text to use (can be null or empty to not use a prompt).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_temperature: 1.0
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_response_tokens: 4096
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_context_tokens: 128000
+# How long Venice keeps the prompt prefix cached: "default", "extended", or "24h".
+# "24h" makes a long, stable system prompt cheap across a day of conversations.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt_cache_retention: 24h
+# The optional top-level sampling and reasoning knobs below default to null, meaning the knob is
+# omitted from the request and Venice applies its own server-side default. Set a value to override.
+# Nucleus sampling, 0.0-1.0 (an alternative to temperature).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p: ~
+# Penalize tokens by how often they have already appeared, -2.0-2.0.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty: ~
+# Penalize tokens that have appeared at all, -2.0-2.0.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty: ~
+# Penalize repetition; values above 1.0 discourage repeats.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty: ~
+# Reasoning budget for models that support it: "low", "medium", or "high".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort: ~
+# Append the model's reasoning below the answer as a collapsible "Reasoning" block (folded by default).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning: ~
+
+# Venice-specific request parameters (the `venice_parameters` bag). Each non-null knob below is sent;
+# a null knob is omitted, so Venice applies its own default. Omitting a knob is NOT the same as
+# setting it to `false` (which actively sends `false`).
+# Web search: "auto" (model decides), "on" (always), or "off".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_search: auto
+# Strip <think></think> blocks from reasoning models so the user sees only the answer.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_strip_thinking_response: true
+# Run in TEE-only mode (works across all models) instead of end-to-end-encrypted inference (only
+# some models support it). TEE is still zero-retention private; this default keeps every model usable.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_e2ee: false
+# Render web-search sources as readable citations in the reply.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations: ~
+# Let web search read full page content, not just snippets.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping: ~
+# Prepend Venice's own system prompt alongside yours.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt: ~
+# Include search results inline in the streamed response.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream: ~
+# Return search results as documents rather than inline text.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents: ~
+# Allow web search to query X (Twitter).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search: ~
+# Disable the model's thinking phase entirely.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking: ~
+# Response verbosity for models that support it: "low", "medium", or "high".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity: ~
+# Use a public Venice character by its slug.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug: ~
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_enabled: true
+matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_model_id: nvidia/parakeet-tdt-0.6b-v3
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_enabled: true
+# Other models include tts-qwen3-1-7b, tts-xai-v1, tts-elevenlabs-turbo-v2-5, tts-minimax-speech-02-hd.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_model_id: tts-kokoro
+# Voices are model-specific. Kokoro uses af_*/am_*/bf_*/bm_* (e.g. af_sky, am_adam). You can also pass
+# a cloned-voice handle (vv_<id>). An incompatible voice returns an error.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_voice: af_sky
+# Output audio format: mp3, opus, aac, flac, wav, or pcm. mp3 is the broadest Matrix-client fit.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_response_format: mp3
+# The optional knobs below default to null (omitted). Set a value to override Venice's default.
+# Playback speed, 0.25-4.0 (1.0 is normal).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed: ~
+# A style prompt steering emotion/delivery (e.g. "Excited and energetic."). Only Qwen 3 TTS uses it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt: ~
+# Sampling temperature, 0.0-2.0. Only Qwen 3 / Orpheus / Chatterbox HD use it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature: ~
+# Nucleus sampling, 0.0-1.0. Only Qwen 3 TTS uses it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p: ~
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enabled: true
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id: chroma
+# The optional generation knobs below default to null (omitted). Set a value to override Venice's
+# default. Omitting a knob is NOT the same as setting it: an omitted knob lets Venice apply its own
+# default, a set value is sent verbatim.
+# A description of what should NOT appear in the image.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt: ~
+# CFG scale, 0-20. Higher values make the image adhere more closely to the prompt.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale: ~
+# Number of inference steps. Model-specific; some models ignore it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps: ~
+# A named style to apply (e.g. "3D Model"). See Venice's image-styles reference.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset: ~
+# Random seed, -999999999-999999999. Fix it for reproducible results; omit for a random seed.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed: ~
+# Blur images classified as adult content. Defaults to true.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode: ~
+# Hide the Venice watermark. Venice may ignore this for certain generated content. Defaults to false.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark: ~
+# Output format: jpeg, png, or webp. webp is smallest; png is highest-quality. Defaults to webp.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format: ~
+# Image dimensions in pixels, each 1-1280. Default 1024x1024.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width: ~
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height: ~
+# Aspect ratio (used by certain models, e.g. Nano Banana): "1:1", "16:9". An alternative to width/height.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio: ~
+# Resolution tier (used by certain models): "1K", "2K", "4K".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution: ~
+# Output quality for supported models (e.g. GPT Image 2): low, medium, high. Higher can cost more.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality: ~
+# Lora strength, 0-100. Only applies if the model uses additional Loras.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength: ~
+# Embed the generation prompt into the image's EXIF metadata. Defaults to false.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata: ~
+# Let the model pull the latest info from the web for the image. Model-specific; costs extra credits.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search: ~
+# Image editing shares this image_generation config block; only the model differs.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_model_id: firered-image-edit
+# The optional edit knobs below default to null (omitted). Set a value to override Venice's default.
+# Output format: jpeg, png, or webp. When omitted, Venice infers it (PNG at 1K, JPEG at 2K/4K).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format: ~
+# Aspect ratio of the result: auto, 1:1, 3:2, 16:9, 21:9, 9:16, 2:3, 3:4, 4:5 (model-specific).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio: ~
+# Resolution tier: 1K, 2K, 4K (model-specific). Defaults to 1K.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution: ~
+# Blur images classified as adult content. Defaults to true.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode: ~
+
+########################################################################################
+#                                                                                      #
+# /Venice agent configuration                                                          #
+#                                                                                      #
+########################################################################################
+
+
 # Controls the `initial_global_config.handler.catch_all` configuration setting.
 #
 # This is an initial global configuration setting.

roles/custom/matrix-bot-baibot/tasks/validate_config.yml

@@ -25,6 +25,8 @@
 
     - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"}
 
+    - {'name': 'matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_enabled }}"}
+
 - name: Fail if baibot authentication mode is not configured
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-bot-baibot/templates/provider/venice-config.yml.j2

@@ -0,0 +1,154 @@
+#jinja2: lstrip_blocks: True
+base_url: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_base_url | to_json }}
+
+api_key: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key | to_json }}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_context_tokens | int | to_json }}
+  prompt_cache_retention: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt_cache_retention | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p is not none %}
+  top_p: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty is not none %}
+  frequency_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty is not none %}
+  presence_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty is not none %}
+  repetition_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort is not none %}
+  reasoning_effort: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning is not none %}
+  show_reasoning: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning | to_json }}
+  {% endif %}
+  venice_parameters:
+    enable_web_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_search | to_json }}
+    strip_thinking_response: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_strip_thinking_response | to_json }}
+    enable_e2ee: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_e2ee | to_json }}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations is not none %}
+    enable_web_citations: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping is not none %}
+    enable_web_scraping: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt is not none %}
+    include_venice_system_prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream is not none %}
+    include_search_results_in_stream: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents is not none %}
+    return_search_results_as_documents: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search is not none %}
+    enable_x_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking is not none %}
+    disable_thinking: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity is not none %}
+    verbosity: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug is not none %}
+    character_slug: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug | to_json }}
+    {% endif %}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_enabled %}
+speech_to_text:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_model_id | to_json }}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_enabled %}
+text_to_speech:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_model_id | to_json }}
+  voice: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_voice | to_json }}
+  response_format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_response_format | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed is not none %}
+  speed: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt is not none %}
+  prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature is not none %}
+  temperature: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p is not none %}
+  top_p: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p | to_json }}
+  {% endif %}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enabled %}
+image_generation:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt is not none %}
+  negative_prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale is not none %}
+  cfg_scale: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps is not none %}
+  steps: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset is not none %}
+  style_preset: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed is not none %}
+  seed: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode is not none %}
+  safe_mode: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark is not none %}
+  hide_watermark: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format is not none %}
+  format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width is not none %}
+  width: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height is not none %}
+  height: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio is not none %}
+  aspect_ratio: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution is not none %}
+  resolution: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality is not none %}
+  quality: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength is not none %}
+  lora_strength: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata is not none %}
+  embed_exif_metadata: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search is not none %}
+  enable_web_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search | to_json }}
+  {% endif %}
+  edit:
+    model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_model_id | to_json }}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format is not none %}
+    output_format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio is not none %}
+    aspect_ratio: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution is not none %}
+    resolution: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode is not none %}
+    safe_mode: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode | to_json }}
+    {% endif %}
+{% endif %}

roles/custom/matrix-bot-baibot/templates/provider/venice-config.yml.j2.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2026 Nikita Chernyi
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml

@@ -36,8 +36,12 @@ matrix_mautrix_bluesky_appservice_address: 'http://matrix-mautrix-bluesky:29340'
 matrix_mautrix_bluesky_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_bluesky_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
-# A public address that external services can use to reach this appservice.
+# Scheme of the bridge's public address (see `matrix_mautrix_bluesky_appservice_public_address`).
-matrix_mautrix_bluesky_appservice_public_address: ''
+matrix_mautrix_bluesky_scheme: https
+
+# A public address that external services can use to reach this appservice (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_bluesky_appservice_public_address: "{{ (matrix_mautrix_bluesky_scheme + '://' + matrix_mautrix_bluesky_exposure_hostname + matrix_mautrix_bluesky_exposure_path_prefix) if matrix_mautrix_bluesky_exposure_enabled else '' }}"
 
 # Displayname template for Bluesky users.
 # {{ .DisplayName }} is replaced with the display name of the Bluesky user.
@@ -78,6 +82,15 @@ matrix_mautrix_bluesky_container_labels_metrics_middleware_basic_auth_enabled: f
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_bluesky_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-bluesky's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_bluesky_container_labels_exposure_enabled: "{{ matrix_mautrix_bluesky_exposure_enabled }}"
+matrix_mautrix_bluesky_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_bluesky_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_bluesky_exposure_path_prefix }}`)"
+matrix_mautrix_bluesky_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_bluesky_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_bluesky_container_labels_traefik_entrypoints }}"
+matrix_mautrix_bluesky_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_bluesky_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_bluesky_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_bluesky_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_bluesky_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -158,6 +171,11 @@ matrix_mautrix_bluesky_metrics_proxying_enabled: false
 matrix_mautrix_bluesky_metrics_proxying_hostname: ''
 matrix_mautrix_bluesky_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-bluesky's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_bluesky_exposure_enabled: false
+matrix_mautrix_bluesky_exposure_hostname: ''
+matrix_mautrix_bluesky_exposure_path_prefix: ''
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/custom/matrix-bridge-mautrix-bluesky/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-bluesky-metrics.tls.certResolver={{ matrix_m
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_bluesky_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-bluesky-exposure.loadbalancer.server.port=29340
+
+traefik.http.middlewares.matrix-mautrix-bluesky-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_bluesky_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-bluesky-exposure.middlewares=matrix-mautrix-bluesky-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-bluesky-exposure.rule={{ matrix_mautrix_bluesky_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_bluesky_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-bluesky-exposure.priority={{ matrix_mautrix_bluesky_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-bluesky-exposure.service=matrix-mautrix-bluesky-exposure
+traefik.http.routers.matrix-mautrix-bluesky-exposure.entrypoints={{ matrix_mautrix_bluesky_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-bluesky-exposure.tls={{ matrix_mautrix_bluesky_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_bluesky_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-bluesky-exposure.tls.certResolver={{ matrix_mautrix_bluesky_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -38,6 +38,13 @@ matrix_mautrix_gmessages_homeserver_async_media: false
 matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_gmessages_bridge_public_address`).
+matrix_mautrix_gmessages_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_gmessages_bridge_public_address: "{{ (matrix_mautrix_gmessages_scheme + '://' + matrix_mautrix_gmessages_exposure_hostname + matrix_mautrix_gmessages_exposure_path_prefix) if matrix_mautrix_gmessages_exposure_enabled else '' }}"
+
 matrix_mautrix_gmessages_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_gmessages_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
@@ -75,6 +82,15 @@ matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_enabled:
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-gmessages' HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_gmessages_container_labels_exposure_enabled: "{{ matrix_mautrix_gmessages_exposure_enabled }}"
+matrix_mautrix_gmessages_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_gmessages_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_gmessages_exposure_path_prefix }}`)"
+matrix_mautrix_gmessages_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_gmessages_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_gmessages_container_labels_traefik_entrypoints }}"
+matrix_mautrix_gmessages_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_gmessages_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_gmessages_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_gmessages_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_gmessages_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -119,6 +135,11 @@ matrix_mautrix_gmessages_metrics_proxying_enabled: false
 matrix_mautrix_gmessages_metrics_proxying_hostname: ''
 matrix_mautrix_gmessages_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-gmessages' HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_gmessages_exposure_enabled: false
+matrix_mautrix_gmessages_exposure_hostname: ''
+matrix_mautrix_gmessages_exposure_path_prefix: ''
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
@@ -168,6 +189,10 @@ matrix_mautrix_gmessages_appservice_username_template: "{% raw %}gmessages_{{.}}
 
 matrix_mautrix_gmessages_public_media_signing_key: ''
 
+# Shared secret for authentication of provisioning API requests.
+# If set to "disable", the provisioning API will be disabled.
+matrix_mautrix_gmessages_provisioning_shared_secret: disable
+
 matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true
 
 matrix_mautrix_gmessages_bridge_permissions: |

roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2

@@ -181,7 +181,7 @@ appservice:
     address: {{ matrix_mautrix_gmessages_appservice_address }}
     # A public address that external services can use to reach this appservice.
     # This value doesn't affect the registration file.
-    public_address: https://bridge.example.com
+    public_address: {{ matrix_mautrix_gmessages_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.
@@ -247,7 +247,7 @@ provisioning:
     prefix: /_matrix/provision
     # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
     # or if set to "disable", the provisioning API will be disabled.
-    shared_secret: disable
+    shared_secret: {{ matrix_mautrix_gmessages_provisioning_shared_secret | to_json }}
     # Whether to allow provisioning API requests to be authed using Matrix access tokens.
     # This follows the same rules as double puppeting to determine which server to contact to check the token,
     # which means that by default, it only works for users on the same server as the bridge.

roles/custom/matrix-bridge-mautrix-gmessages/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-gmessages-metrics.tls.certResolver={{ matrix
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_gmessages_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-gmessages-exposure.loadbalancer.server.port=8080
+
+traefik.http.middlewares.matrix-mautrix-gmessages-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_gmessages_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.middlewares=matrix-mautrix-gmessages-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.rule={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_gmessages_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.priority={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.service=matrix-mautrix-gmessages-exposure
+traefik.http.routers.matrix-mautrix-gmessages-exposure.entrypoints={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.tls={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_gmessages_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.tls.certResolver={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -63,6 +63,15 @@ matrix_mautrix_meta_instagram_container_labels_metrics_middleware_basic_auth_ena
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_meta_instagram_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-meta-instagram's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_meta_instagram_container_labels_exposure_enabled: "{{ matrix_mautrix_meta_instagram_exposure_enabled }}"
+matrix_mautrix_meta_instagram_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_meta_instagram_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_meta_instagram_exposure_path_prefix }}`)"
+matrix_mautrix_meta_instagram_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_meta_instagram_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_meta_instagram_container_labels_traefik_entrypoints }}"
+matrix_mautrix_meta_instagram_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_meta_instagram_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_meta_instagram_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_meta_instagram_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -123,6 +132,13 @@ matrix_mautrix_meta_instagram_homeserver_token: ''
 
 matrix_mautrix_meta_instagram_appservice_address: "http://{{ matrix_mautrix_meta_instagram_identifier }}:29319"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_meta_instagram_bridge_public_address`).
+matrix_mautrix_meta_instagram_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_meta_instagram_bridge_public_address: "{{ (matrix_mautrix_meta_instagram_scheme + '://' + matrix_mautrix_meta_instagram_exposure_hostname + matrix_mautrix_meta_instagram_exposure_path_prefix) if matrix_mautrix_meta_instagram_exposure_enabled else '' }}"
+
 matrix_mautrix_meta_instagram_appservice_id: "{{ matrix_mautrix_meta_instagram_meta_mode }}"
 
 matrix_mautrix_meta_instagram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
@@ -182,6 +198,11 @@ matrix_mautrix_meta_instagram_metrics_proxying_enabled: false
 matrix_mautrix_meta_instagram_metrics_proxying_hostname: ''
 matrix_mautrix_meta_instagram_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-meta-instagram's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_meta_instagram_exposure_enabled: false
+matrix_mautrix_meta_instagram_exposure_hostname: ''
+matrix_mautrix_meta_instagram_exposure_path_prefix: ''
+
 matrix_mautrix_meta_instagram_bridge_username_prefix: |-
   {{
     ({

roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2

@@ -197,7 +197,7 @@ appservice:
     address: {{ matrix_mautrix_meta_instagram_appservice_address | to_json }}
     # A public address that external services can use to reach this appservice.
     # This value doesn't affect the registration file.
-    public_address: https://bridge.example.com
+    public_address: {{ matrix_mautrix_meta_instagram_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.

roles/custom/matrix-bridge-mautrix-meta-instagram/templates/labels.j2

@@ -4,15 +4,19 @@ SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-{% if matrix_mautrix_meta_instagram_container_labels_traefik_enabled and matrix_mautrix_meta_instagram_container_labels_metrics_enabled %}
+{% if matrix_mautrix_meta_instagram_container_labels_traefik_enabled and (matrix_mautrix_meta_instagram_container_labels_metrics_enabled or matrix_mautrix_meta_instagram_container_labels_exposure_enabled) %}
 traefik.enable=true
 
 {% if matrix_mautrix_meta_instagram_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_mautrix_meta_instagram_container_labels_traefik_docker_network }}
 {% endif %}
 
+{% if matrix_mautrix_meta_instagram_container_labels_exposure_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_instagram_identifier }}-appservice.loadbalancer.server.port=29319
+{% endif %}
+{% if matrix_mautrix_meta_instagram_container_labels_metrics_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_instagram_identifier }}-metrics.loadbalancer.server.port=8000
+{% endif %}
 
 
 {% if matrix_mautrix_meta_instagram_container_labels_metrics_enabled %}
@@ -48,6 +52,37 @@ traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-metrics.tls.
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_meta_instagram_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.middlewares.{{ matrix_mautrix_meta_instagram_identifier }}-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_meta_instagram_exposure_path_prefix }}
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.middlewares={{ matrix_mautrix_meta_instagram_identifier }}-exposure-strip-prefix
+
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.rule={{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_meta_instagram_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.priority={{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.service={{ matrix_mautrix_meta_instagram_identifier }}-appservice
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.entrypoints={{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.tls={{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_meta_instagram_container_labels_exposure_traefik_tls %}
+traefik.http.routers.{{ matrix_mautrix_meta_instagram_identifier }}-exposure.tls.certResolver={{ matrix_mautrix_meta_instagram_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -63,6 +63,15 @@ matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_ena
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-meta-messenger's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_meta_messenger_container_labels_exposure_enabled: "{{ matrix_mautrix_meta_messenger_exposure_enabled }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_meta_messenger_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_meta_messenger_exposure_path_prefix }}`)"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_meta_messenger_container_labels_traefik_entrypoints }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_meta_messenger_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_meta_messenger_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -123,6 +132,13 @@ matrix_mautrix_meta_messenger_homeserver_token: ''
 
 matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta_messenger_identifier }}:29319"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_meta_messenger_bridge_public_address`).
+matrix_mautrix_meta_messenger_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_meta_messenger_bridge_public_address: "{{ (matrix_mautrix_meta_messenger_scheme + '://' + matrix_mautrix_meta_messenger_exposure_hostname + matrix_mautrix_meta_messenger_exposure_path_prefix) if matrix_mautrix_meta_messenger_exposure_enabled else '' }}"
+
 matrix_mautrix_meta_messenger_appservice_id: "{{ matrix_mautrix_meta_messenger_meta_mode }}"
 
 matrix_mautrix_meta_messenger_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
@@ -182,6 +198,11 @@ matrix_mautrix_meta_messenger_metrics_proxying_enabled: false
 matrix_mautrix_meta_messenger_metrics_proxying_hostname: ''
 matrix_mautrix_meta_messenger_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-meta-messenger's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_meta_messenger_exposure_enabled: false
+matrix_mautrix_meta_messenger_exposure_hostname: ''
+matrix_mautrix_meta_messenger_exposure_path_prefix: ''
+
 matrix_mautrix_meta_messenger_bridge_username_prefix: |-
   {{
     ({

roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2

@@ -197,7 +197,7 @@ appservice:
     address: {{ matrix_mautrix_meta_messenger_appservice_address | to_json }}
     # A public address that external services can use to reach this appservice.
     # This value doesn't affect the registration file.
-    public_address: https://bridge.example.com
+    public_address: {{ matrix_mautrix_meta_messenger_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.

roles/custom/matrix-bridge-mautrix-meta-messenger/templates/labels.j2

@@ -4,15 +4,19 @@ SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-{% if matrix_mautrix_meta_messenger_container_labels_traefik_enabled and matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
+{% if matrix_mautrix_meta_messenger_container_labels_traefik_enabled and (matrix_mautrix_meta_messenger_container_labels_metrics_enabled or matrix_mautrix_meta_messenger_container_labels_exposure_enabled) %}
 traefik.enable=true
 
 {% if matrix_mautrix_meta_messenger_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_mautrix_meta_messenger_container_labels_traefik_docker_network }}
 {% endif %}
 
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_messenger_identifier }}-appservice.loadbalancer.server.port=29319
+{% endif %}
+{% if matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_messenger_identifier }}-metrics.loadbalancer.server.port=8000
+{% endif %}
 
 
 {% if matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
@@ -48,6 +52,37 @@ traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-metrics.tls.
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.middlewares.{{ matrix_mautrix_meta_messenger_identifier }}-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_meta_messenger_exposure_path_prefix }}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.middlewares={{ matrix_mautrix_meta_messenger_identifier }}-exposure-strip-prefix
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.rule={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.priority={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.service={{ matrix_mautrix_meta_messenger_identifier }}-appservice
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.entrypoints={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.tls={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls %}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.tls.certResolver={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -46,6 +46,13 @@ matrix_mautrix_signal_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_signal_homeserver_async_media: false
 matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_signal_bridge_public_address`).
+matrix_mautrix_signal_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_signal_bridge_public_address: "{{ (matrix_mautrix_signal_scheme + '://' + matrix_mautrix_signal_exposure_hostname + matrix_mautrix_signal_exposure_path_prefix) if matrix_mautrix_signal_exposure_enabled else '' }}"
+
 matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_signal_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
@@ -100,6 +107,15 @@ matrix_mautrix_signal_container_labels_metrics_middleware_basic_auth_enabled: fa
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_signal_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-signal's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_signal_container_labels_exposure_enabled: "{{ matrix_mautrix_signal_exposure_enabled }}"
+matrix_mautrix_signal_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_signal_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_signal_exposure_path_prefix }}`)"
+matrix_mautrix_signal_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_signal_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_signal_container_labels_traefik_entrypoints }}"
+matrix_mautrix_signal_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_signal_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_signal_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_signal_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_signal_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -150,6 +166,11 @@ matrix_mautrix_signal_metrics_proxying_enabled: false
 matrix_mautrix_signal_metrics_proxying_hostname: ''
 matrix_mautrix_signal_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-signal's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_signal_exposure_enabled: false
+matrix_mautrix_signal_exposure_hostname: ''
+matrix_mautrix_signal_exposure_path_prefix: ''
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -171,7 +171,7 @@ appservice:
 
     # A public address that external services can use to reach this appservice.
     # This value doesn't affect the registration file.
-    public_address: ""
+    public_address: {{ matrix_mautrix_signal_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.

roles/custom/matrix-bridge-mautrix-signal/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-signal-metrics.tls.certResolver={{ matrix_ma
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_signal_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-signal-exposure.loadbalancer.server.port=8080
+
+traefik.http.middlewares.matrix-mautrix-signal-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_signal_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-signal-exposure.middlewares=matrix-mautrix-signal-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-signal-exposure.rule={{ matrix_mautrix_signal_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_signal_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-signal-exposure.priority={{ matrix_mautrix_signal_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-signal-exposure.service=matrix-mautrix-signal-exposure
+traefik.http.routers.matrix-mautrix-signal-exposure.entrypoints={{ matrix_mautrix_signal_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-signal-exposure.tls={{ matrix_mautrix_signal_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_signal_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-signal-exposure.tls.certResolver={{ matrix_mautrix_signal_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -46,6 +46,13 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_telegram_homeserver_async_media: false
 matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080'
 
+# Scheme of the bridge's public address (see `matrix_mautrix_telegram_bridge_public_address`).
+matrix_mautrix_telegram_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_telegram_bridge_public_address: "{{ (matrix_mautrix_telegram_scheme + '://' + matrix_mautrix_telegram_exposure_hostname + matrix_mautrix_telegram_exposure_path_prefix) if matrix_mautrix_telegram_exposure_enabled else '' }}"
+
 matrix_mautrix_telegram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_telegram_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
@@ -81,6 +88,15 @@ matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_enabled:
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-telegram's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_telegram_container_labels_exposure_enabled: "{{ matrix_mautrix_telegram_exposure_enabled }}"
+matrix_mautrix_telegram_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_telegram_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_telegram_exposure_path_prefix }}`)"
+matrix_mautrix_telegram_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_telegram_container_labels_traefik_entrypoints }}"
+matrix_mautrix_telegram_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_telegram_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_telegram_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_telegram_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -125,6 +141,11 @@ matrix_mautrix_telegram_metrics_proxying_enabled: false
 matrix_mautrix_telegram_metrics_proxying_hostname: ''
 matrix_mautrix_telegram_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-telegram's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_telegram_exposure_enabled: false
+matrix_mautrix_telegram_exposure_hostname: ''
+matrix_mautrix_telegram_exposure_path_prefix: ''
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.

roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -281,7 +281,7 @@ appservice:
     # A public address that external services can use to reach this appservice.
     # This is only needed for things like public media. A reverse proxy is generally necessary when using this field.
     # This value doesn't affect the registration file.
-    public_address: ""
+    public_address: {{ matrix_mautrix_telegram_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.

roles/custom/matrix-bridge-mautrix-telegram/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-telegram-metrics.tls.certResolver={{ matrix_
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_telegram_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-telegram-exposure.loadbalancer.server.port=8080
+
+traefik.http.middlewares.matrix-mautrix-telegram-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_telegram_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-telegram-exposure.middlewares=matrix-mautrix-telegram-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-telegram-exposure.rule={{ matrix_mautrix_telegram_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_telegram_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-telegram-exposure.priority={{ matrix_mautrix_telegram_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-telegram-exposure.service=matrix-mautrix-telegram-exposure
+traefik.http.routers.matrix-mautrix-telegram-exposure.entrypoints={{ matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-telegram-exposure.tls={{ matrix_mautrix_telegram_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_telegram_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-telegram-exposure.tls.certResolver={{ matrix_mautrix_telegram_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -44,8 +44,12 @@ matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
 matrix_mautrix_twitter_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_twitter_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
-# A public address that external services can use to reach this appservice.
+# Scheme of the bridge's public address (see `matrix_mautrix_twitter_appservice_public_address`).
-matrix_mautrix_twitter_appservice_public_address: ''
+matrix_mautrix_twitter_scheme: https
+
+# A public address that external services can use to reach this appservice (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_twitter_appservice_public_address: "{{ (matrix_mautrix_twitter_scheme + '://' + matrix_mautrix_twitter_exposure_hostname + matrix_mautrix_twitter_exposure_path_prefix) if matrix_mautrix_twitter_exposure_enabled else '' }}"
 
 # Displayname template for Twitter users.
 # {{ .DisplayName }} is replaced with the display name of the Twitter user.
@@ -86,6 +90,15 @@ matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_enabled: f
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-twitter's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_twitter_container_labels_exposure_enabled: "{{ matrix_mautrix_twitter_exposure_enabled }}"
+matrix_mautrix_twitter_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_twitter_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_twitter_exposure_path_prefix }}`)"
+matrix_mautrix_twitter_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_twitter_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_twitter_container_labels_traefik_entrypoints }}"
+matrix_mautrix_twitter_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_twitter_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_twitter_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_twitter_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_twitter_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -166,6 +179,11 @@ matrix_mautrix_twitter_metrics_proxying_enabled: false
 matrix_mautrix_twitter_metrics_proxying_hostname: ''
 matrix_mautrix_twitter_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-twitter's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_twitter_exposure_enabled: false
+matrix_mautrix_twitter_exposure_hostname: ''
+matrix_mautrix_twitter_exposure_path_prefix: ''
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/custom/matrix-bridge-mautrix-twitter/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-twitter-metrics.tls.certResolver={{ matrix_m
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_twitter_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-twitter-exposure.loadbalancer.server.port=29327
+
+traefik.http.middlewares.matrix-mautrix-twitter-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_twitter_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-twitter-exposure.middlewares=matrix-mautrix-twitter-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-twitter-exposure.rule={{ matrix_mautrix_twitter_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_twitter_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-twitter-exposure.priority={{ matrix_mautrix_twitter_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-twitter-exposure.service=matrix-mautrix-twitter-exposure
+traefik.http.routers.matrix-mautrix-twitter-exposure.entrypoints={{ matrix_mautrix_twitter_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-twitter-exposure.tls={{ matrix_mautrix_twitter_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_twitter_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-twitter-exposure.tls.certResolver={{ matrix_mautrix_twitter_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -48,6 +48,13 @@ matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_whatsapp_homeserver_async_media: false
 matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_whatsapp_bridge_public_address`).
+matrix_mautrix_whatsapp_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_whatsapp_bridge_public_address: "{{ (matrix_mautrix_whatsapp_scheme + '://' + matrix_mautrix_whatsapp_exposure_hostname + matrix_mautrix_whatsapp_exposure_path_prefix) if matrix_mautrix_whatsapp_exposure_enabled else '' }}"
+
 matrix_mautrix_whatsapp_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_whatsapp_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
@@ -81,6 +88,15 @@ matrix_mautrix_whatsapp_container_labels_metrics_middleware_basic_auth_enabled:
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_whatsapp_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-whatsapp's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_whatsapp_container_labels_exposure_enabled: "{{ matrix_mautrix_whatsapp_exposure_enabled }}"
+matrix_mautrix_whatsapp_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_whatsapp_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_whatsapp_exposure_path_prefix }}`)"
+matrix_mautrix_whatsapp_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_whatsapp_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_whatsapp_container_labels_traefik_entrypoints }}"
+matrix_mautrix_whatsapp_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_whatsapp_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_whatsapp_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_whatsapp_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -125,6 +141,11 @@ matrix_mautrix_whatsapp_metrics_proxying_enabled: false
 matrix_mautrix_whatsapp_metrics_proxying_hostname: ''
 matrix_mautrix_whatsapp_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-whatsapp's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_whatsapp_exposure_enabled: false
+matrix_mautrix_whatsapp_exposure_hostname: ''
+matrix_mautrix_whatsapp_exposure_path_prefix: ''
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.

roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -269,7 +269,7 @@ appservice:
     # A public address that external services can use to reach this appservice.
     # This is only needed for things like public media. A reverse proxy is generally necessary when using this field.
     # This value doesn't affect the registration file.
-    public_address: ""
+    public_address: {{ matrix_mautrix_whatsapp_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.

roles/custom/matrix-bridge-mautrix-whatsapp/templates/labels.j2

@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-whatsapp-metrics.tls.certResolver={{ matrix_
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_whatsapp_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-whatsapp-exposure.loadbalancer.server.port=8080
+
+traefik.http.middlewares.matrix-mautrix-whatsapp-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_whatsapp_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.middlewares=matrix-mautrix-whatsapp-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.rule={{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_whatsapp_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.priority={{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.service=matrix-mautrix-whatsapp-exposure
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.entrypoints={{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.tls={{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_whatsapp_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-whatsapp-exposure.tls.certResolver={{ matrix_mautrix_whatsapp_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}
 

roles/custom/matrix-bridge-rustpush/defaults/main.yml

@@ -13,8 +13,8 @@ matrix_rustpush_bridge_container_image_self_build: false
 matrix_rustpush_bridge_container_image_self_build_repo: "https://github.com/jasonlaguidice/imessage.git"
 matrix_rustpush_bridge_container_image_self_build_repo_version: "{{ 'master' if matrix_rustpush_bridge_version == 'latest' else matrix_rustpush_bridge_version }}"
 
-# Adjust to pin to releases
+# renovate: datasource=docker depName=ghcr.io/jasonlaguidice/imessage
-matrix_rustpush_bridge_version: v0.0.1
+matrix_rustpush_bridge_version: v0.0.2
 matrix_rustpush_bridge_container_image: "{{ matrix_rustpush_bridge_container_image_registry_prefix }}jasonlaguidice/imessage:{{ matrix_rustpush_bridge_version }}"
 matrix_rustpush_bridge_container_image_registry_prefix: "{{ 'localhost/' if matrix_rustpush_bridge_container_image_self_build else matrix_rustpush_bridge_container_image_registry_prefix_upstream }}"
 matrix_rustpush_bridge_container_image_registry_prefix_upstream: "{{ matrix_rustpush_bridge_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-tuwunel/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''
 
 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
-matrix_tuwunel_version: v1.7.1
+matrix_tuwunel_version: v1.8.0
 
 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,43 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []
 
+# List of IPv4/IPv6 CIDR ranges tuwunel refuses to send outbound requests to (SSRF protection).
+# This applies to push gateway delivery, URL previews, and remote media fetches.
+# Bridges/appservices use a separate resolver and are not affected.
+#
+# The default mirrors tuwunel's own upstream default, which denies RFC1918,
+# loopback, multicast, and other unroutable/testnet ranges.
+#
+# To deny additional ranges, append to `matrix_tuwunel_config_ip_range_denylist_custom`.
+# To permit a range that the default denies (e.g. if you run a push gateway like a
+# localhost Sygnal or a LAN ntfy/UnifiedPush server on a private/loopback address, to
+# which push delivery would otherwise be silently blocked), override
+# `matrix_tuwunel_config_ip_range_denylist_default` with a trimmed list.
+# Set the whole list to `[]` to disable denylisting entirely.
+matrix_tuwunel_config_ip_range_denylist: "{{ matrix_tuwunel_config_ip_range_denylist_default + matrix_tuwunel_config_ip_range_denylist_auto + matrix_tuwunel_config_ip_range_denylist_custom }}"
+matrix_tuwunel_config_ip_range_denylist_default:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '192.0.0.0/24'
+  - '169.254.0.0/16'
+  - '192.88.99.0/24'
+  - '198.18.0.0/15'
+  - '192.0.2.0/24'
+  - '198.51.100.0/24'
+  - '203.0.113.0/24'
+  - '224.0.0.0/4'
+  - '::1/128'
+  - 'fe80::/10'
+  - 'fc00::/7'
+  - '2001:db8::/32'
+  - 'ff00::/8'
+  - 'fec0::/10'
+matrix_tuwunel_config_ip_range_denylist_auto: []
+matrix_tuwunel_config_ip_range_denylist_custom: []
+
 # MSC4284 policy server enforcement.
 # When enabled, rooms with a valid `m.room.policy` state event will have
 # outgoing events signed by the configured policy server before federation.

roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2

@@ -56,6 +56,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 {% if matrix_tuwunel_config_prevent_media_downloads_from | length > 0 %}
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}
+ip_range_denylist = {{ matrix_tuwunel_config_ip_range_denylist | to_json }}
 
 enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
 policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}