Compare commits

..

10 Commits

Author SHA1 Message Date
github-actions[bot] 15e3d0b1a1 Automatic translations update 2026-05-09 06:50:52 +00:00
Slavi Pantaleev 53ad97417d matrix-tuwunel: update to v1.6.2
This release adds opt-in server-level enforcement of MSC4284 policy
servers via two new `[global]` keys: `enable_policy_servers` and
`policy_server_request_timeout`. Surface both as Ansible variables
matching tuwunel's upstream defaults (off, 5s timeout) and refresh the
docs section that previously claimed MSC4284 needed no playbook
configuration.

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5213.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 09:27:07 +03:00
Slavi Pantaleev 704cbd5655 Revert "Update dependency etherpad to v2.7.3-0"
This reverts commit 68cc4a1c12.

Etherpad has been reported to be somewhat broken. Broken how? No clue.
Reverting till further feedback comes.
2026-05-08 22:02:38 +03:00
renovate[bot] 6542ef8b3c Update forgejo.ellis.link/continuwuation/continuwuity Docker tag to v0.5.9 2026-05-08 09:29:03 +03:00
renovate[bot] e43bbfb44d Update dependency mdit-py-plugins to v0.6.0 2026-05-07 23:58:17 +03:00
renovate[bot] 143babe55c Update dependency markdown-it-py to v4.2.0 2026-05-07 23:58:06 +03:00
renovate[bot] bb77d89d2e Update dependency urllib3 to v2.7.0 2026-05-07 23:57:58 +03:00
renovate[bot] a0d056d160 Update ghcr.io/element-hq/synapse Docker tag to v1.152.1 2026-05-07 23:57:49 +03:00
github-actions[bot] 2d5b5ff7ef Automatic translations update (#5206)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-07 14:04:08 +00:00
Slavi Pantaleev 8c87f68d5b matrix-tuwunel: adjust SPDX year ranges to 2025 - 2026
Files in this role were ported from matrix-continuwuity (which carries
2025 attribution), so the year range should reflect that the underlying
content predates 2026.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200.
2026-05-07 17:01:55 +03:00
21 changed files with 85 additions and 59 deletions
+8 -1
View File
@@ -166,7 +166,14 @@ matrix_tuwunel_config_prevent_media_downloads_from:
- 'heavy\.example\.com$'
```
Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration.
Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
```yaml
matrix_tuwunel_config_enable_policy_servers: true
matrix_tuwunel_config_policy_server_request_timeout: 5
```
When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.
### Default room version
+3 -3
View File
@@ -8,9 +8,9 @@ idna==3.13
imagesize==2.0.0
Jinja2==3.1.6
linkify-it-py==2.1.0
markdown-it-py==4.1.0
markdown-it-py==4.2.0
MarkupSafe==3.0.3
mdit-py-plugins==0.5.0
mdit-py-plugins==0.6.0
mdurl==0.1.2
myst-parser==5.0.0
packaging==26.2
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
sphinxcontrib-serializinghtml==2.0.0
tabulate==0.10.0
uc-micro-py==2.0.0
urllib3==2.6.3
urllib3==2.7.0
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: matrix-docker-ansible-deploy \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2026-05-07 11:16+0000\n"
"POT-Creation-Date: 2026-05-09 06:50+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -185,81 +185,85 @@ msgid "Tuwunel accepts regular-expression patterns at every level of remote-serv
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:169
msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration."
msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:171
#: ../../../docs/configuring-playbook-tuwunel.md:176
msgid "When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:178
msgid "Default room version"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:173
#: ../../../docs/configuring-playbook-tuwunel.md:180
msgid "The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) (\"Hydra\"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:175
#: ../../../docs/configuring-playbook-tuwunel.md:182
msgid "Creating the first user account"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:177
#: ../../../docs/configuring-playbook-tuwunel.md:184
msgid "Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:184
#: ../../../docs/configuring-playbook-tuwunel.md:191
msgid "Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:186
#: ../../../docs/configuring-playbook-tuwunel.md:193
msgid "Configuring bridges and appservices"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:188
#: ../../../docs/configuring-playbook-tuwunel.md:195
msgid "The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:209
#: ../../../docs/configuring-playbook-tuwunel.md:216
msgid "Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:211
#: ../../../docs/configuring-playbook-tuwunel.md:218
msgid "Migrating from conduwuit"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:213
#: ../../../docs/configuring-playbook-tuwunel.md:220
msgid "Tuwunel is a \"binary swap\" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:215
#: ../../../docs/configuring-playbook-tuwunel.md:222
msgid "Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:216
#: ../../../docs/configuring-playbook-tuwunel.md:223
msgid "Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`)."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:217
#: ../../../docs/configuring-playbook-tuwunel.md:224
msgid "Run `just run-tags tuwunel-migrate-from-conduwuit`."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:219
#: ../../../docs/configuring-playbook-tuwunel.md:226
msgid "The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:221
#: ../../../docs/configuring-playbook-tuwunel.md:228
msgid "[!CAUTION] Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel)."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:224
#: ../../../docs/configuring-playbook-tuwunel.md:231
msgid "Troubleshooting"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:226
#: ../../../docs/configuring-playbook-tuwunel.md:233
msgid "As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):"
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:232
#: ../../../docs/configuring-playbook-tuwunel.md:239
msgid "Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`."
msgstr ""
#: ../../../docs/configuring-playbook-tuwunel.md:234
#: ../../../docs/configuring-playbook-tuwunel.md:241
msgid "For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker."
msgstr ""
+1 -1
View File
@@ -27,7 +27,7 @@
version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
name: docker_sdk_for_python
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
version: v2.7.3-0
version: v2.7.2-1
name: etherpad
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
version: v4.99.1-r0-2-1
@@ -13,7 +13,7 @@ matrix_continuwuity_enabled: true
matrix_continuwuity_hostname: ''
# renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
matrix_continuwuity_version: v0.5.8
matrix_continuwuity_version: v0.5.9
matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"
@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.152.0
matrix_synapse_version: v1.152.1
matrix_synapse_username: ''
matrix_synapse_uid: ''
+15 -3
View File
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
matrix_tuwunel_hostname: ''
# renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
matrix_tuwunel_version: v1.6.1
matrix_tuwunel_version: v1.6.2
matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,18 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
matrix_tuwunel_config_prevent_media_downloads_from: []
# MSC4284 policy server enforcement.
# When enabled, rooms with a valid `m.room.policy` state event will have
# outgoing events signed by the configured policy server before federation.
# Refusal aborts the local request; transient network or timeout failures
# fail open with a warn log so a policy-server outage does not silently
# take the room offline.
matrix_tuwunel_config_enable_policy_servers: false
# Timeout (in seconds) for outbound `/sign` calls and inbound
# signature-fetches against a room's policy server.
matrix_tuwunel_config_policy_server_request_timeout: 5
# Outgoing presence is heavy on CPU and network and almost no clients use it. Off by default.
matrix_tuwunel_config_allow_outgoing_presence: false
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
+2 -2
View File
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,4 +1,4 @@
SPDX-FileCopyrightText: 2026 MDAD project contributors
SPDX-FileCopyrightText: 2026 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,6 +1,6 @@
{#
SPDX-FileCopyrightText: 2026 MDAD project contributors
SPDX-FileCopyrightText: 2026 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
@@ -1,4 +1,4 @@
SPDX-FileCopyrightText: 2026 MDAD project contributors
SPDX-FileCopyrightText: 2026 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
@@ -1,6 +1,6 @@
{#
SPDX-FileCopyrightText: 2026 MDAD project contributors
SPDX-FileCopyrightText: 2026 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
@@ -57,6 +57,9 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
{% endif %}
enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}
allow_outgoing_presence = {{ matrix_tuwunel_config_allow_outgoing_presence | to_json }}
{% if matrix_tuwunel_config_url_preview_domain_contains_allowlist | length > 0 %}
+2 -2
View File
@@ -1,5 +1,5 @@
# SPDX-FileCopyrightText: 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors
# SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later