Update matrixdotorg/sygnal Docker tag to v0.17.0

Link not working as it had the wrong section name

README.md

@@ -4,7 +4,7 @@
 
 ## 🎯 Purpose
 
-This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#supported-services) related to that.
+This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#-supported-services) related to that.
 
 That is, it lets you join the Matrix network using your own user ID like `@alice:example.com`, all hosted on your own server (see [prerequisites](docs/prerequisites.md)).
 
@@ -122,7 +122,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mautrix-bluesky](https://github.com/mautrix/bluesky) | ❌ | Bridge to [Bluesky](https://bsky.social/) | [Link](docs/configuring-playbook-bridge-mautrix-bluesky.md) |
 | [mautrix-twitter](https://github.com/mautrix/twitter) | ❌ | Bridge to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) |
 | [mautrix-googlechat](https://github.com/mautrix/googlechat) | ❌ | Bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) |
-| [mautrix-meta](https://github.com/mautrix/instagram) | ❌ | Bridge to [Messenger](https://messenger.com/) and [Instagram](https://instagram.com/) | Link for [Messenger](docs/configuring-playbook-bridge-mautrix-meta-messenger.md) / [Instagram](docs/configuring-playbook-bridge-mautrix-meta-instagram.md) |
+| [mautrix-meta](https://github.com/mautrix/meta) | ❌ | Bridge to [Messenger](https://messenger.com/) and [Instagram](https://instagram.com/) | Link for [Messenger](docs/configuring-playbook-bridge-mautrix-meta-messenger.md) / [Instagram](docs/configuring-playbook-bridge-mautrix-meta-instagram.md) |
 | [mautrix-signal](https://github.com/mautrix/signal) | ❌ | Bridge to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) |
 | [beeper-linkedin](https://github.com/beeper/linkedin) | ❌ | Bridge to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) |
 | [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | ❌ | Bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) |

docs/configuring-playbook-tuwunel.md

@@ -166,7 +166,14 @@ matrix_tuwunel_config_prevent_media_downloads_from:
   - 'heavy\.example\.com$'
 ```
 
-Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration.
+Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
+
+```yaml
+matrix_tuwunel_config_enable_policy_servers: true
+matrix_tuwunel_config_policy_server_request_timeout: 5
+```
+
+When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.
 
 ### Default room version
 

i18n/requirements.txt

@@ -8,9 +8,9 @@ idna==3.13
 imagesize==2.0.0
 Jinja2==3.1.6
 linkify-it-py==2.1.0
-markdown-it-py==4.1.0
+markdown-it-py==4.2.0
 MarkupSafe==3.0.3
-mdit-py-plugins==0.5.0
+mdit-py-plugins==0.6.0
 mdurl==0.1.2
 myst-parser==5.0.0
 packaging==26.2
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.10.0
 uc-micro-py==2.0.0
-urllib3==2.6.3
+urllib3==2.7.0

i18n/translation-templates/docs/configuring-playbook-tuwunel.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-07 11:16+0000\n"
+"POT-Creation-Date: 2026-05-09 06:50+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -185,81 +185,85 @@ msgid "Tuwunel accepts regular-expression patterns at every level of remote-serv
 msgstr ""
 
 #: ../../../docs/configuring-playbook-tuwunel.md:169
-msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration."
+msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:171
+#: ../../../docs/configuring-playbook-tuwunel.md:176
+msgid "When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:178
 msgid "Default room version"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:173
+#: ../../../docs/configuring-playbook-tuwunel.md:180
 msgid "The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) (\"Hydra\"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:175
+#: ../../../docs/configuring-playbook-tuwunel.md:182
 msgid "Creating the first user account"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:177
+#: ../../../docs/configuring-playbook-tuwunel.md:184
 msgid "Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:184
+#: ../../../docs/configuring-playbook-tuwunel.md:191
 msgid "Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:186
+#: ../../../docs/configuring-playbook-tuwunel.md:193
 msgid "Configuring bridges and appservices"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:188
+#: ../../../docs/configuring-playbook-tuwunel.md:195
 msgid "The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:209
+#: ../../../docs/configuring-playbook-tuwunel.md:216
 msgid "Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:211
+#: ../../../docs/configuring-playbook-tuwunel.md:218
 msgid "Migrating from conduwuit"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:213
+#: ../../../docs/configuring-playbook-tuwunel.md:220
 msgid "Tuwunel is a \"binary swap\" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:215
+#: ../../../docs/configuring-playbook-tuwunel.md:222
 msgid "Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:216
+#: ../../../docs/configuring-playbook-tuwunel.md:223
 msgid "Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`)."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:217
+#: ../../../docs/configuring-playbook-tuwunel.md:224
 msgid "Run `just run-tags tuwunel-migrate-from-conduwuit`."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:219
+#: ../../../docs/configuring-playbook-tuwunel.md:226
 msgid "The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:221
+#: ../../../docs/configuring-playbook-tuwunel.md:228
 msgid "[!CAUTION] Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel)."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:224
+#: ../../../docs/configuring-playbook-tuwunel.md:231
 msgid "Troubleshooting"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:226
+#: ../../../docs/configuring-playbook-tuwunel.md:233
 msgid "As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):"
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:232
+#: ../../../docs/configuring-playbook-tuwunel.md:239
 msgid "Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`."
 msgstr ""
 
-#: ../../../docs/configuring-playbook-tuwunel.md:234
+#: ../../../docs/configuring-playbook-tuwunel.md:241
 msgid "For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker."
 msgstr ""

mise.toml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 [tools]
-prek = "0.3.13"
+prek = "0.4.0"
 
 [settings]
 yes = true

requirements.yml

@@ -27,7 +27,7 @@
   version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.7.3-0
+  version: v2.7.2-1
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.99.1-r0-2-1
@@ -75,7 +75,7 @@
   version: v0.19.1-4
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.15.2-0
+  version: v1.16.0-0
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
@@ -87,7 +87,7 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.7.0-0
+  version: v3.7.1-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-7

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.5.6
+matrix_alertmanager_receiver_version: 2026.5.13
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.18.0
+matrix_bot_baibot_version: v1.19.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.17
+matrix_client_element_version: v1.12.18
 
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_continuwuity_enabled: true
 matrix_continuwuity_hostname: ''
 
 # renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
-matrix_continuwuity_version: v0.5.8
+matrix_continuwuity_version: v0.5.9
 
 matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
 matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.19.2
+matrix_element_call_version: v0.19.3
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-rageshake/defaults/main.yml

@@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: /
 # There are no stable container image tags yet.
 # See: https://github.com/matrix-org/rageshake/issues/69
 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake
-matrix_rageshake_version: 1.17.1
+matrix_rageshake_version: 1.18.0
 
 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake"
 matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config"

roles/custom/matrix-sygnal/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_sygnal_hostname: ''
 matrix_sygnal_path_prefix: /
 
 # renovate: datasource=docker depName=matrixdotorg/sygnal
-matrix_sygnal_version: v0.15.1
+matrix_sygnal_version: v0.17.0
 
 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
 matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.152.0
+matrix_synapse_version: v1.152.1
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1616,7 +1616,7 @@ matrix_synapse_ext_encryption_config_yaml: |
 # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider.
 matrix_synapse_ext_synapse_s3_storage_provider_enabled: false
 # renovate: datasource=github-releases depName=matrix-org/synapse-s3-storage-provider
-matrix_synapse_ext_synapse_s3_storage_provider_version: 1.6.0
+matrix_synapse_ext_synapse_s3_storage_provider_version: 1.6.1
 # Controls whether media from this (local) server is stored in s3-storage-provider
 matrix_synapse_ext_synapse_s3_storage_provider_store_local: true
 # Controls whether media from remote servers is stored in s3-storage-provider
@@ -1844,7 +1844,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.30.0-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.31.0-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

roles/custom/matrix-tuwunel/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''
 
 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
-matrix_tuwunel_version: v1.6.1
+matrix_tuwunel_version: v1.6.2
 
 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,18 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []
 
+# MSC4284 policy server enforcement.
+# When enabled, rooms with a valid `m.room.policy` state event will have
+# outgoing events signed by the configured policy server before federation.
+# Refusal aborts the local request; transient network or timeout failures
+# fail open with a warn log so a policy-server outage does not silently
+# take the room offline.
+matrix_tuwunel_config_enable_policy_servers: false
+
+# Timeout (in seconds) for outbound `/sign` calls and inbound
+# signature-fetches against a room's policy server.
+matrix_tuwunel_config_policy_server_request_timeout: 5
+
 # Outgoing presence is heavy on CPU and network and almost no clients use it. Off by default.
 matrix_tuwunel_config_allow_outgoing_presence: false
 

roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2

@@ -57,6 +57,9 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}
 
+enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
+policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}
+
 allow_outgoing_presence = {{ matrix_tuwunel_config_allow_outgoing_presence | to_json }}
 
 {% if matrix_tuwunel_config_url_preview_domain_contains_allowlist | length > 0 %}