Update dependency ntfy to v2.25.0-0

The role shipped its own copy of the bridge's Dockerfile and templated it
over the cloned source before building. That copy had already drifted from
upstream (e.g. missing libheif-plugin-libde265) and required separate
maintenance (Renovate bumping the base image here instead of upstream).

Build from the cloned repo's own Dockerfile instead, matching every other
self-build role (e.g. matrix-bridge-steam). The Dockerfile now tracks the
pinned bridge version automatically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.github/workflows/matrix.yml

@@ -26,10 +26,10 @@ jobs:
         run: pacman -Sy --noconfirm git
 
       - name: Check out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Restore prek cache
-        uses: actions/cache@v5
+        uses: actions/cache@v6
         with:
           path: var/prek
           key: arch-prek-v1-${{ hashFiles('.pre-commit-config.yaml') }}

.github/workflows/update-translations.yml

@@ -24,7 +24,7 @@ jobs:
     name: Update translations
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: actions/setup-python@v6
         with:

CHANGELOG.md

@@ -1,3 +1,13 @@
+# 2026-06-24
+
+## Support for bridging to iMessage via RustPush
+
+Thanks to [jasonlaguidice](https://github.com/jasonlaguidice), the playbook now supports bridging to [iMessage](https://support.apple.com/messages) via a new [RustPush](https://github.com/OpenBubbles/rustpush)-based bridge ([jasonlaguidice/imessage](https://github.com/jasonlaguidice/imessage)).
+
+Unlike the existing [mautrix-wsproxy](./docs/configuring-playbook-bridge-mautrix-wsproxy.md) iMessage bridge, this one talks directly to Apple's push notification service, so it needs neither a running Mac nor a wsproxy on the homeserver. Each user supplies a hardware key extracted from a Mac through the bridge bot's login flow.
+
+To learn more, see our [Setting up RustPush (iMessage) bridging](./docs/configuring-playbook-bridge-rustpush.md) documentation page.
+
 # 2026-05-24
 
 ## matrix-ldap-registration-proxy has been removed from the playbook

README.md

@@ -117,6 +117,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mautrix-gmessages](https://github.com/mautrix/gmessages) | ❌ | Bridge to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) |
 | [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | ❌ | Bridge to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) |
 | [mautrix-wsproxy](https://github.com/mautrix/wsproxy) | ❌ | Bridge to Android SMS or Apple iMessage | [Link](docs/configuring-playbook-bridge-mautrix-wsproxy.md) |
+| [matrix-rustpush-bridge](https://github.com/jasonlaguidice/imessage) | ❌ | Bridge to [iMessage](https://support.apple.com/messages) via Apple Push Notification service | [Link](docs/configuring-playbook-bridge-rustpush.md) |
 | [mautrix-bluesky](https://github.com/mautrix/bluesky) | ❌ | Bridge to [Bluesky](https://bsky.social/) | [Link](docs/configuring-playbook-bridge-mautrix-bluesky.md) |
 | [mautrix-twitter](https://github.com/mautrix/twitter) | ❌ | Bridge to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) |
 | [mautrix-googlechat](https://github.com/mautrix/googlechat) | ❌ | Bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) |

docs/configuring-playbook-bridge-rustpush.md

@@ -0,0 +1,95 @@
+<!--
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Setting up RustPush (iMessage) bridging (optional)
+
+> **Note:** This bridge is in early development and may have stability issues. It may not be desirable to deploy this to a large number of users. Your testing and feedback is appreciated.
+
+<sup>Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md)</sup>
+
+The playbook can install and configure [RustPush bridge to iMessage](https://github.com/jasonlaguidice/imessage) for you using Apple's push notification service.
+
+See the project's [documentation](https://github.com/jasonlaguidice/imessage/blob/main/README.md) to learn what it does and why it might be useful to you.
+
+## Prerequisites
+
+### Hardware Key Extraction
+
+To use this bridge on Linux (Docker), each user needs a **hardware key** extracted from a real Mac. This key contains hardware identifiers needed for iMessage registration. Hardware keys can be shared by a number of users (approximately 20) before causing issues with Apple.
+
+The key is entered interactively through the bridge bot's login flow (not configured via Ansible variables). See the upstream [README](https://github.com/jasonlaguidice/imessage/blob/main/README.md) for instructions on extracting the key.
+
+If extracted from an Intel Mac, the Mac does not need to remain running after the key is extracted for this bridge to work. Apple Silicon Macs must run a NAC relay and thus must remain running.
+
+### Phone Number Registration (optional)
+
+This bridge can **not** do phone number registration (PNR). The only way to have your phone number registered and used (instead of an Apple ID e-mail address) is to have an iPhone connected to your Apple account. Reference the [BlueBubbles Phone Number Registration Guide](https://docs.bluebubbles.app/server/advanced/registering-a-phone-number-with-your-imessage-account) for information on how to set this up.
+
+### Enable Appservice Double Puppet (optional)
+
+If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
+
+See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting.
+
+## Adjusting the playbook configuration
+
+To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_rustpush_bridge_enabled: true
+```
+
+### Disable Backfill (optional)
+
+Backfill can be disabled globally if desired via config. By default, the bridge will backfill from iCloud (CloudKit) and APNS if available. Backfill from `chat.db` is only possible when the bridge is running on MacOS.
+
+```yaml
+matrix_rustpush_bridge_backfill_enabled: false
+```
+
+### Extending the Configuration
+
+There are some additional things you may wish to configure about the bridge.
+
+See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.
+
+## Installing
+
+After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:
+
+<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+**Notes**:
+
+- The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
+
+  `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
+
+## Usage
+
+To use the bridge, you need to start a chat with `@rustpushbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).
+
+After logging in, the bridge will start receiving iMessages and creating portal rooms.
+
+## Troubleshooting
+
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-rustpush-bridge`.
+
+### Increase logging verbosity
+
+The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
+
+```yaml
+# Valid values: fatal, error, warn, info, debug, trace
+matrix_rustpush_bridge_logging_level: 'debug'
+
+# Enable debug logging for RustPush
+matrix_rustpush_bridge_rust_log: "warn,rustpushgo=info,openabsinthe=debug"
+```

docs/configuring-playbook.md

@@ -158,6 +158,8 @@ Bridges can be used to connect your Matrix installation with third-party communi
 
 - [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](configuring-playbook-bridge-mautrix-wsproxy.md)
 
+- [Setting up RustPush (iMessage) bridging](configuring-playbook-bridge-rustpush.md)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md)
 
 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md)

docs/container-images.md

@@ -107,6 +107,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) | [hif1/heisenbridge](https://hub.docker.com/r/hif1/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) |
 | [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
 | [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |
+| [matrix-rustpush-bridge](configuring-playbook-bridge-rustpush.md) | [jasonlaguidice/imessage](https://github.com/jasonlaguidice/imessage/pkgs/container/imessage) | ❌ | Bridge to [iMessage](https://support.apple.com/messages) via Apple Push Notification service |
 | [mx-puppet-steam](configuring-playbook-bridge-mx-puppet-steam.md) | [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) |
 | [Postmoogle](configuring-playbook-bridge-postmoogle.md) | [etke.cc/postmoogle](https://github.com/etkecc/postmoogle/container_registry) | ❌ | Email to Matrix bridge |
 

examples/reverse-proxies/nginx-proxy-manager/README.md

@@ -44,27 +44,19 @@ Custom Nginx Configuration:
 	client_max_body_size 50M;
 ```
 
-Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxy's configuration like this:
+Then, under the 'Streams' page select `Add Stream`, this time for your federation traffic. Apply the configuration like this:
 
 ```md
 # Details
 # Matrix Federation proxy config
-Domain Names: matrix.example.com:8448
+Incoming Port: 8448
-Scheme: http
+Forward Host/IP: IP-ADDRESS-OF-YOUR-MATRIX
-Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX
 Forward Port: 8449
+Protocols: TCP
 
 # SSL
 # Either 'Request a new certificate' or select an existing one
 SSL Certificate: matrix.example.com or *.example.com
-Force SSL: true
-HTTP/2 Support: true
-
-# Advanced
-# Allows NPM to listen on the federation port
-Custom Nginx Configuration:
-	listen 8448 ssl http2;
-	client_max_body_size 50M;
 ```
 
 Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.example.com` or `jitsi.example.com`, which would use the forwarding port `81`.

group_vars/matrix_servers

@@ -114,6 +114,8 @@ matrix_homeserver_container_extra_arguments_auto: |
     +
     (['--mount type=bind,src=' + matrix_mautrix_bluesky_config_path + '/registration.yaml,dst=/matrix-mautrix-bluesky-registration.yaml,ro'] if matrix_mautrix_bluesky_enabled else [])
     +
+    (['--mount type=bind,src=' + matrix_rustpush_bridge_config_path + '/registration.yaml,dst=/matrix-rustpush-bridge-registration.yaml,ro'] if matrix_rustpush_bridge_enabled else [])
+    +
     (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else [])
     +
     (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else [])
@@ -171,6 +173,8 @@ matrix_homeserver_app_service_config_files_auto: |
     +
     (['/matrix-mautrix-bluesky-registration.yaml'] if matrix_mautrix_bluesky_enabled else [])
     +
+    (['/matrix-rustpush-bridge-registration.yaml'] if matrix_rustpush_bridge_enabled else [])
+    +
     (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else [])
     +
     (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else [])
@@ -436,6 +440,13 @@ devture_systemd_service_manager_services_list_auto: |
       'groups': ['matrix', 'bridges', 'mautrix-bluesky'],
     }] if matrix_mautrix_bluesky_enabled else [])
     +
+    ([{
+      'name': 'matrix-rustpush-bridge.service',
+      'priority': 2000,
+      'restart_necessary': (matrix_rustpush_bridge_restart_necessary | bool),
+      'groups': ['matrix', 'bridges', 'matrix-rustpush-bridge'],
+    }] if matrix_rustpush_bridge_enabled else [])
+    +
     ([{
       'name': 'matrix-mautrix-discord.service',
       'priority': 2000,
@@ -1469,6 +1480,77 @@ matrix_mautrix_bluesky_database_password: "{{ (matrix_homeserver_generic_secret_
 #
 ######################################################################
 
+
+######################################################################
+#
+# matrix-bridge-rustpush
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_rustpush_bridge_enabled: false
+
+matrix_rustpush_bridge_systemd_required_services_list_auto: |
+  {{
+    matrix_addons_homeserver_systemd_services_list
+    +
+    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+  }}
+
+matrix_rustpush_bridge_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_rustpush_bridge_container_additional_networks_auto: |-
+  {{
+    (
+      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+      +
+      ([postgres_container_network] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname and matrix_rustpush_bridge_container_network != postgres_container_network) else [])
+      +
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_rustpush_bridge_container_labels_traefik_enabled else [])
+    ) | unique
+  }}
+
+matrix_rustpush_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_rustpush_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_rustpush_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_rustpush_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
+matrix_rustpush_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.as.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
+matrix_rustpush_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.hs.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
+matrix_rustpush_bridge_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.prov') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_double_puppet_secrets_auto: |-
+  {{
+    ({
+      matrix_rustpush_bridge_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
+
+matrix_rustpush_bridge_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
+
+matrix_rustpush_bridge_metrics_proxying_enabled: "{{ matrix_rustpush_bridge_metrics_enabled and matrix_metrics_exposure_enabled }}"
+matrix_rustpush_bridge_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+matrix_rustpush_bridge_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/rustpush-bridge"
+
+matrix_rustpush_bridge_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_rustpush_bridge_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
+
+######################################################################
+#
+# /matrix-bridge-rustpush
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mautrix-discord
@@ -4052,6 +4134,12 @@ postgres_managed_databases_auto: |
       'password': matrix_mautrix_bluesky_database_password,
     }] if (matrix_mautrix_bluesky_enabled and matrix_mautrix_bluesky_database_engine == 'postgres' and matrix_mautrix_bluesky_database_hostname == postgres_connection_hostname) else [])
     +
+    ([{
+      'name': matrix_rustpush_bridge_database_name,
+      'username': matrix_rustpush_bridge_database_username,
+      'password': matrix_rustpush_bridge_database_password,
+    }] if (matrix_rustpush_bridge_enabled and matrix_rustpush_bridge_database_engine == 'postgres' and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+    +
     ([{
       'name': matrix_mautrix_googlechat_database_name,
       'username': matrix_mautrix_googlechat_database_username,
@@ -4992,6 +5080,11 @@ matrix_ketesa_config_asManagedUsers_auto: |
       '^@bluesky_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
     ] if matrix_mautrix_bluesky_enabled else [])
     +
+    ([
+      '^@'+(matrix_rustpush_bridge_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
+      '^@rustpush_[a-zA-Z0-9_.+-]+:'+(matrix_domain | regex_escape)+'$',
+    ] if matrix_rustpush_bridge_enabled else [])
+    +
     ([
       '^@'+(matrix_mautrix_discord_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
       '^@discord_[0-9]+:'+(matrix_domain | regex_escape)+'$',

i18n/requirements.txt

@@ -1,8 +1,8 @@
 alabaster==1.0.0
 babel==2.18.0
-certifi==2026.5.20
+certifi==2026.6.17
 charset-normalizer==3.4.7
-click==8.4.1
+click==8.4.2
 docutils==0.23
 idna==3.18
 imagesize==2.0.0

mise.toml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 [tools]
-prek = "0.4.4"
+prek = "0.4.5"
 
 [settings]
 yes = true

requirements.yml

@@ -7,7 +7,7 @@
   version: v1.4.4-2.1.4-1
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.12.2-0
+  version: v4.12.3-0
   name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.4.2-5
@@ -33,7 +33,7 @@
   version: v4.99.1-r0-2-1
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-10
+  version: v13.0.2-0
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
   version: v0.5.1-5
@@ -45,7 +45,7 @@
   version: v1.13.1-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.24.0-0
+  version: v2.25.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -75,7 +75,7 @@
   version: v0.19.1-4
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.18.1-0
+  version: v1.18.3-0
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
@@ -90,7 +90,7 @@
   version: v3.7.5-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-7
+  version: v2.11.4-0
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
   version: v9.1.0-0

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.6.10
+matrix_alertmanager_receiver_version: 2026.6.24
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.18.0
+matrix_authentication_service_version: 1.19.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.21.1
+matrix_bot_baibot_version: v1.23.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-buscarron/defaults/main.yml

@@ -13,7 +13,7 @@
 matrix_bot_buscarron_enabled: true
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/buscarron
-matrix_bot_buscarron_version: v1.4.3
+matrix_bot_buscarron_version: v1.5.0
 
 # The hostname at which Buscarron is served.
 matrix_bot_buscarron_hostname: ''

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.2605.1
+matrix_mautrix_meta_instagram_version: v0.2606.0
 
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.2605.1
+matrix_mautrix_meta_messenger_version: v0.2606.0
 
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.2605.0
+matrix_mautrix_signal_version: v0.2606.0
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_container_image: "{{ matrix_mautrix_signal_container_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_container_image_tag }}"

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2605.0
+matrix_mautrix_slack_version: v0.2606.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_container_image: "{{ matrix_mautrix_slack_container_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -26,7 +26,7 @@ matrix_mautrix_telegram_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_telegram_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/telegram
-matrix_mautrix_telegram_version: v0.2605.0
+matrix_mautrix_telegram_version: v0.2606.0
 
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_container_image: "{{ matrix_mautrix_telegram_container_image_registry_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2604.0
+matrix_mautrix_twitter_version: v0.2606.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_container_image: "{{ matrix_mautrix_twitter_container_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2605.0
+matrix_mautrix_whatsapp_version: v0.2606.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_container_image: "{{ matrix_mautrix_whatsapp_container_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-bridge-rustpush/defaults/main.yml

@@ -0,0 +1,248 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+# matrix-bridge-rustpush is a Matrix <-> iMessage bridge using RustPush
+# Project source code URL: https://github.com/jasonlaguidice/imessage
+
+matrix_rustpush_bridge_enabled: false
+
+matrix_rustpush_bridge_container_image_self_build: false
+matrix_rustpush_bridge_container_image_self_build_repo: "https://github.com/jasonlaguidice/imessage.git"
+matrix_rustpush_bridge_container_image_self_build_repo_version: "{{ 'master' if matrix_rustpush_bridge_version == 'latest' else matrix_rustpush_bridge_version }}"
+
+# Adjust to pin to releases
+matrix_rustpush_bridge_version: v0.0.1
+matrix_rustpush_bridge_container_image: "{{ matrix_rustpush_bridge_container_image_registry_prefix }}jasonlaguidice/imessage:{{ matrix_rustpush_bridge_version }}"
+matrix_rustpush_bridge_container_image_registry_prefix: "{{ 'localhost/' if matrix_rustpush_bridge_container_image_self_build else matrix_rustpush_bridge_container_image_registry_prefix_upstream }}"
+matrix_rustpush_bridge_container_image_registry_prefix_upstream: "{{ matrix_rustpush_bridge_container_image_registry_prefix_upstream_default }}"
+matrix_rustpush_bridge_container_image_registry_prefix_upstream_default: "ghcr.io/"
+
+matrix_rustpush_bridge_base_path: "{{ matrix_base_data_path }}/matrix-rustpush-bridge"
+matrix_rustpush_bridge_config_path: "{{ matrix_rustpush_bridge_base_path }}/config"
+matrix_rustpush_bridge_data_path: "{{ matrix_rustpush_bridge_base_path }}/data"
+matrix_rustpush_bridge_container_src_files_path: "{{ matrix_rustpush_bridge_base_path }}/docker-src"
+
+matrix_rustpush_bridge_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+matrix_rustpush_bridge_homeserver_async_media: false
+matrix_rustpush_bridge_homeserver_domain: '{{ matrix_domain }}'
+matrix_rustpush_bridge_appservice_address: 'http://matrix-rustpush-bridge:8081'
+
+matrix_rustpush_bridge_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+matrix_rustpush_bridge_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
+
+# A public address that external services can use to reach this appservice.
+matrix_rustpush_bridge_appservice_public_address: ''
+
+# Displayname template for iMessage contacts.
+# Available variables: {{.FirstName}}, {{.LastName}}, {{.Nickname}},
+# {{.Phone}}, {{.Email}}, {{.ID}}
+matrix_rustpush_bridge_network_displayname_template: "{% raw %}{{if .FirstName}}{{.FirstName}}{{if .LastName}} {{.LastName}}{{end}}{{else if .Nickname}}{{.Nickname}}{{else if .Phone}}{{.Phone}}{{else if .Email}}{{.Email}}{{else}}{{.ID}}{{end}} (iMessage){% endraw %}"
+
+matrix_rustpush_bridge_cloudkit_backfill: true
+matrix_rustpush_bridge_video_transcoding: true
+matrix_rustpush_bridge_heic_conversion: true
+matrix_rustpush_bridge_disable_facetime: false
+matrix_rustpush_bridge_statuskit_notifications: true
+matrix_rustpush_bridge_statuskit_share_on_startup: true
+
+matrix_rustpush_bridge_bridge_command_prefix: "!im"
+
+matrix_rustpush_bridge_bridge_permissions: |
+  {{
+    {matrix_rustpush_bridge_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
+matrix_rustpush_bridge_container_network: ""
+
+matrix_rustpush_bridge_container_additional_networks: "{{ matrix_rustpush_bridge_container_additional_networks_auto + matrix_rustpush_bridge_container_additional_networks_custom }}"
+matrix_rustpush_bridge_container_additional_networks_auto: []
+matrix_rustpush_bridge_container_additional_networks_custom: []
+
+# matrix_rustpush_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_rustpush_bridge_container_labels_additional_labels`.
+matrix_rustpush_bridge_container_labels_traefik_enabled: true
+matrix_rustpush_bridge_container_labels_traefik_docker_network: "{{ matrix_rustpush_bridge_container_network }}"
+matrix_rustpush_bridge_container_labels_traefik_entrypoints: web-secure
+matrix_rustpush_bridge_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added that expose metrics
+matrix_rustpush_bridge_container_labels_metrics_enabled: "{{ matrix_rustpush_bridge_metrics_enabled and matrix_rustpush_bridge_metrics_proxying_enabled }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_rule: "Host(`{{ matrix_rustpush_bridge_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_rustpush_bridge_metrics_proxying_path_prefix }}`)"
+matrix_rustpush_bridge_container_labels_metrics_traefik_priority: 0
+matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints: "{{ matrix_rustpush_bridge_container_labels_traefik_entrypoints }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_tls: "{{ matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints != 'web' }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_rustpush_bridge_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled: false
+# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users: ''
+
+# matrix_rustpush_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_rustpush_bridge_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_rustpush_bridge_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_rustpush_bridge_container_extra_arguments: []
+
+# Override the Rust log filter passed to the bridge container via RUST_LOG.
+# Leave empty to use the bridge's built-in default
+# ("warn,rustpush=warn,rustpushgo=info,open_absinthe=info").
+#
+# Useful values:
+#   "warn,rustpushgo=info,open_absinthe=debug"   # NAC emulator diagnostics (_enc field sizes, etc.)
+#   "warn,rustpushgo=info,open_absinthe=debug,rustpush=info"  # + upstream rustpush internals
+#   "debug"                                       # everything (very chatty)
+#
+# The open_absinthe crate logs NAC hardware-key diagnostics at INFO and emulator
+# state at DEBUG. These are suppressed by default to reduce log noise.
+matrix_rustpush_bridge_rust_log: ""
+
+# List of systemd services that matrix-rustpush-bridge.service depends on.
+matrix_rustpush_bridge_systemd_required_services_list: "{{ matrix_rustpush_bridge_systemd_required_services_list_default + matrix_rustpush_bridge_systemd_required_services_list_auto + matrix_rustpush_bridge_systemd_required_services_list_custom }}"
+matrix_rustpush_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_rustpush_bridge_systemd_required_services_list_auto: []
+matrix_rustpush_bridge_systemd_required_services_list_custom: []
+
+# List of systemd services that matrix-rustpush-bridge.service wants
+matrix_rustpush_bridge_systemd_wanted_services_list: []
+
+matrix_rustpush_bridge_appservice_token: ''
+matrix_rustpush_bridge_homeserver_token: ''
+
+# Whether or not created rooms should have federation enabled.
+# If false, created portal rooms will never be federated.
+matrix_rustpush_bridge_matrix_federate_rooms: false
+
+# Database-related configuration fields.
+#
+# To use Postgres:
+# - adjust your database credentials via the `matrix_rustpush_bridge_postgres_*` variables
+matrix_rustpush_bridge_database_engine: 'postgres'
+
+matrix_rustpush_bridge_database_username: 'matrix_rustpush_bridge'
+matrix_rustpush_bridge_database_password: 'some-password'
+matrix_rustpush_bridge_database_hostname: ''
+matrix_rustpush_bridge_database_port: 5432
+matrix_rustpush_bridge_database_name: 'matrix_rustpush_bridge'
+matrix_rustpush_bridge_database_sslmode: disable
+
+matrix_rustpush_bridge_database_connection_string: 'postgres://{{ matrix_rustpush_bridge_database_username }}:{{ matrix_rustpush_bridge_database_password }}@{{ matrix_rustpush_bridge_database_hostname }}:{{ matrix_rustpush_bridge_database_port }}/{{ matrix_rustpush_bridge_database_name }}?sslmode={{ matrix_rustpush_bridge_database_sslmode }}'
+
+matrix_rustpush_bridge_database_uri: "{{
+	{
+		'postgres': matrix_rustpush_bridge_database_connection_string,
+	}[matrix_rustpush_bridge_database_engine]
+}}"
+
+matrix_rustpush_bridge_double_puppet_secrets: "{{ matrix_rustpush_bridge_double_puppet_secrets_auto | combine(matrix_rustpush_bridge_double_puppet_secrets_custom) }}"
+matrix_rustpush_bridge_double_puppet_secrets_auto: {}
+matrix_rustpush_bridge_double_puppet_secrets_custom: {}
+
+matrix_rustpush_bridge_appservice_bot_username: rustpushbot
+matrix_rustpush_bridge_appservice_bot_displayname: RustPush bridge bot
+matrix_rustpush_bridge_appservice_bot_avatar: ''
+
+# Localpart template for MXIDs of remote (iMessage) users.
+# The `{{.}}` placeholder expands to the iMessage handle (phone/email).
+matrix_rustpush_bridge_appservice_username_template: "{% raw %}rustpush_{{.}}{% endraw %}"
+
+# Backfill is disabled by default because Linux Docker cannot access chat.db.
+# On macOS with Full Disk Access, this can be set to true.
+matrix_rustpush_bridge_backfill_enabled: false
+# Maximum number of messages to backfill in empty rooms
+matrix_rustpush_bridge_backfill_max_initial_messages: 50
+
+# Maximum number of missed messages to backfill after bridge restarts
+matrix_rustpush_bridge_backfill_max_catchup_messages: 500
+
+# How many days back to look for chats during initial sync.
+# Default in upstream is 365 (1 year). Set to 0 to disable.
+matrix_rustpush_bridge_initial_sync_days: 365
+
+# Shared secret for authentication of provisioning API requests.
+# If set to "disable", the provisioning API will be disabled.
+matrix_rustpush_bridge_provisioning_shared_secret: disable
+
+# Minimum severity of journal log messages.
+# Valid values: fatal, error, warn, info, debug, trace
+matrix_rustpush_bridge_logging_level: 'warn'
+
+# Whether or not metrics endpoint should be enabled.
+# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
+# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_rustpush_bridge_metrics_proxying_enabled`.
+matrix_rustpush_bridge_metrics_enabled: false
+
+# Controls whether metrics should be exposed on a public URL.
+matrix_rustpush_bridge_metrics_proxying_enabled: false
+matrix_rustpush_bridge_metrics_proxying_hostname: ''
+matrix_rustpush_bridge_metrics_proxying_path_prefix: ''
+
+# Default configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_rustpush_bridge_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_rustpush_bridge_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_rustpush_bridge_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_rustpush_bridge_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_rustpush_bridge_configuration_yaml`.
+
+matrix_rustpush_bridge_configuration_extension: "{{ matrix_rustpush_bridge_configuration_extension_yaml | from_yaml if matrix_rustpush_bridge_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_rustpush_bridge_configuration_yaml`.
+matrix_rustpush_bridge_configuration: "{{ matrix_rustpush_bridge_configuration_yaml | from_yaml | combine(matrix_rustpush_bridge_configuration_extension, recursive=True) }}"
+
+matrix_rustpush_bridge_registration_yaml: |
+  id: rustpush-bridge
+  as_token: "{{ matrix_rustpush_bridge_appservice_token }}"
+  hs_token: "{{ matrix_rustpush_bridge_homeserver_token }}"
+  namespaces:
+    users:
+    - exclusive: true
+      regex: '^@rustpush_.+:{{ matrix_rustpush_bridge_homeserver_domain | regex_escape }}$'
+    - exclusive: true
+      regex: '^@{{ matrix_rustpush_bridge_appservice_bot_username | regex_escape }}:{{ matrix_rustpush_bridge_homeserver_domain | regex_escape }}$'
+  url: {{ matrix_rustpush_bridge_appservice_address }}
+  sender_localpart: _bot_{{ matrix_rustpush_bridge_appservice_bot_username }}
+  rate_limited: false
+  de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_rustpush_bridge_msc4190_enabled | to_json }}
+
+matrix_rustpush_bridge_registration: "{{ matrix_rustpush_bridge_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_rustpush_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_rustpush_bridge_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
+matrix_rustpush_bridge_bridge_encryption_require: false
+matrix_rustpush_bridge_bridge_encryption_appservice: false
+matrix_rustpush_bridge_bridge_encryption_key_sharing_allow: "{{ matrix_rustpush_bridge_bridge_encryption_allow }}"
+matrix_rustpush_bridge_bridge_encryption_pickle_key: mautrix.bridge.e2ee
+
+# matrix_rustpush_bridge_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_rustpush_bridge_restart_necessary: false

roles/custom/matrix-bridge-rustpush/tasks/main.yml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- tags:
+    - setup-all
+    - setup-rustpush-bridge
+    - install-all
+    - install-rustpush-bridge
+  block:
+    - when: matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-rustpush-bridge
+  block:
+    - when: not matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

roles/custom/matrix-bridge-rustpush/tasks/setup_install.yml

@@ -0,0 +1,110 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure RustPush paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - {path: "{{ matrix_rustpush_bridge_base_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_config_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_data_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_container_src_files_path }}", when: "{{ matrix_rustpush_bridge_container_image_self_build }}"}
+  when: item.when | bool
+
+- name: Ensure RustPush repository is present on self-build
+  ansible.builtin.git:
+    repo: "{{ matrix_rustpush_bridge_container_image_self_build_repo }}"
+    version: "{{ matrix_rustpush_bridge_container_image_self_build_repo_version }}"
+    dest: "{{ matrix_rustpush_bridge_container_src_files_path }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_name }}"
+  register: matrix_rustpush_bridge_git_pull_results
+  when: "matrix_rustpush_bridge_enabled | bool and matrix_rustpush_bridge_container_image_self_build"
+
+- name: Ensure RustPush Docker image is built
+  community.docker.docker_image_build:
+    name: "{{ matrix_rustpush_bridge_container_image }}"
+    dockerfile: Dockerfile
+    path: "{{ matrix_rustpush_bridge_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_rustpush_bridge_git_pull_results.changed | bool else 'never' }}"
+    build_args:
+      BUILD_VERSION: "{{ matrix_rustpush_bridge_container_image_self_build_repo_version }}"
+      BUILD_COMMIT: "{{ matrix_rustpush_bridge_git_pull_results.after[:8] if matrix_rustpush_bridge_git_pull_results is defined and matrix_rustpush_bridge_git_pull_results.after is defined else 'unknown' }}"
+  register: matrix_rustpush_bridge_container_image_build_result
+  when: "matrix_rustpush_bridge_enabled | bool and matrix_rustpush_bridge_container_image_self_build | bool"
+
+- name: Ensure RustPush container image is pulled
+  community.docker.docker_image_pull:
+    name: "{{ matrix_rustpush_bridge_container_image }}"
+    pull: always
+  register: matrix_rustpush_bridge_container_image_pull_result
+  when: "matrix_rustpush_bridge_enabled | bool and not matrix_rustpush_bridge_container_image_self_build | bool"
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: matrix_rustpush_bridge_container_image_pull_result is not failed
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Ensure rustpush-bridge config.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_rustpush_bridge_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_rustpush_bridge_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_rustpush_bridge_config_result
+
+- name: Ensure rustpush-bridge registration.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_rustpush_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_rustpush_bridge_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_rustpush_bridge_registration_result
+
+- name: Ensure rustpush-bridge support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_rustpush_bridge_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - labels
+  register: matrix_rustpush_bridge_support_files_result
+
+- name: Ensure matrix-rustpush-bridge container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_rustpush_bridge_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure matrix-rustpush-bridge.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-rustpush-bridge.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+    mode: 0644
+  register: matrix_rustpush_bridge_systemd_service_result
+
+- name: Determine whether matrix-rustpush-bridge needs a restart
+  ansible.builtin.set_fact:
+    matrix_rustpush_bridge_restart_necessary: >-
+      {{
+        matrix_rustpush_bridge_config_result.changed | default(false)
+        or matrix_rustpush_bridge_registration_result.changed | default(false)
+        or matrix_rustpush_bridge_support_files_result.changed | default(false)
+        or matrix_rustpush_bridge_systemd_service_result.changed | default(false)
+        or matrix_rustpush_bridge_container_image_pull_result.changed | default(false)
+        or matrix_rustpush_bridge_container_image_build_result.changed | default(false)
+      }}

roles/custom/matrix-bridge-rustpush/tasks/setup_uninstall.yml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check existence of matrix-rustpush-bridge service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+  register: matrix_rustpush_bridge_service_stat
+
+- when: matrix_rustpush_bridge_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-rustpush-bridge is stopped
+      ansible.builtin.service:
+        name: matrix-rustpush-bridge
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-rustpush-bridge.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+        state: absent

roles/custom/matrix-bridge-rustpush/tasks/validate_config.yml

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if required RustPush settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
+  with_items:
+    - {'name': 'matrix_rustpush_bridge_appservice_token', when: true}
+    - {'name': 'matrix_rustpush_bridge_homeserver_address', when: true}
+    - {'name': 'matrix_rustpush_bridge_homeserver_token', when: true}
+    - {'name': 'matrix_rustpush_bridge_database_hostname', when: "{{ matrix_rustpush_bridge_database_engine == 'postgres' }}"}
+    - {'name': 'matrix_rustpush_bridge_container_network', when: true}
+    - {'name': 'matrix_rustpush_bridge_metrics_proxying_hostname', when: "{{ matrix_rustpush_bridge_metrics_proxying_enabled }}"}
+    - {'name': 'matrix_rustpush_bridge_metrics_proxying_path_prefix', when: "{{ matrix_rustpush_bridge_metrics_proxying_enabled }}"}

roles/custom/matrix-bridge-rustpush/templates/config.yaml.j2

@@ -0,0 +1,209 @@
+#jinja2: lstrip_blocks: True
+# Network-specific config options (iMessage via RustPush)
+network:
+    # Displayname template for iMessage contacts.
+    # Available variables:
+    # .FirstName, .LastName, .Nickname
+    # .Phone, .Email, .ID
+    displayname_template: {{ matrix_rustpush_bridge_network_displayname_template | to_json }}
+
+    # How many days back to look for chats during initial sync.
+    # Default is 365 (1 year). Set to 0 to use the default.
+    initial_sync_days: {{ matrix_rustpush_bridge_initial_sync_days | to_json }}
+
+    # Set to false to disable CloudKit backfill globally
+    cloudkit_backfill: {{ matrix_rustpush_bridge_cloudkit_backfill | to_json }}
+    backfill_source: cloudkit
+
+    # Enable or disable video transcoding
+    video_transcoding: {{ matrix_rustpush_bridge_video_transcoding | to_json }}
+
+    # Enable or disable HEIC conversion
+    heic_conversion: {{ matrix_rustpush_bridge_heic_conversion | to_json }}
+    heic_jpeg_quality: 95
+
+    # Set to true to disable Facetime support globally
+    disable_facetime: {{ matrix_rustpush_bridge_disable_facetime | to_json }}
+
+    # Set to false to disable Statuskit support globally
+    statuskit_notifications: {{ matrix_rustpush_bridge_statuskit_notifications | to_json }}
+    statuskit_share_on_startup: {{ matrix_rustpush_bridge_statuskit_share_on_startup | to_json }}
+
+# Config options that affect the central bridge module.
+bridge:
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: {{ matrix_rustpush_bridge_bridge_command_prefix | to_json }}
+    # Should the bridge create a space for each login containing the rooms that account is in?
+    personal_filtering_spaces: true
+    # Whether the bridge should set names and avatars explicitly for DM portals.
+    private_chat_portal_meta: true
+    # Should events be handled asynchronously within portal rooms?
+    async_events: false
+    # Should every user have their own portals rather than sharing them?
+    split_portals: false
+    # Should the bridge resend `m.bridge` events to all portals on startup?
+    resend_bridge_info: false
+
+    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
+    bridge_matrix_leave: false
+    # Should room tags only be synced when creating the portal?
+    tag_only_on_create: true
+    # List of tags to allow bridging.
+    only_bridge_tags: [m.favourite, m.lowpriority]
+    # Should room mute status only be synced when creating the portal?
+    mute_only_on_create: true
+
+    # What should be done to portal rooms when a user logs out or is logged out?
+    cleanup_on_logout:
+        enabled: false
+        manual:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+        bad_credentials:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+
+    # Settings for relay mode
+    relay:
+        enabled: false
+        admin_only: true
+        default_relays: []
+        message_formats:
+            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
+            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
+
+    # Permissions for using the bridge.
+    permissions: {{ matrix_rustpush_bridge_bridge_permissions | to_json }}
+
+# Config for the bridge's database.
+database:
+    type: postgres
+    uri: {{ matrix_rustpush_bridge_database_uri | to_json }}
+    max_open_conns: 5
+    max_idle_conns: 1
+    max_conn_idle_time: null
+    max_conn_lifetime: null
+
+# Homeserver details.
+homeserver:
+    address: {{ matrix_rustpush_bridge_homeserver_address | to_json }}
+    domain: {{ matrix_rustpush_bridge_homeserver_domain | to_json }}
+    software: standard
+    status_endpoint:
+    message_send_checkpoint_endpoint:
+    async_media: {{ matrix_rustpush_bridge_homeserver_async_media | to_json }}
+    websocket: false
+    ping_interval_seconds: 0
+
+# Application service host/registration related details.
+appservice:
+    address: {{ matrix_rustpush_bridge_appservice_address | to_json }}
+    public_address: {{ matrix_rustpush_bridge_appservice_public_address | to_json }}
+
+    hostname: 0.0.0.0
+    port: 8081
+
+    id: rustpush-bridge
+    bot:
+        username: {{ matrix_rustpush_bridge_appservice_bot_username | to_json }}
+        displayname: {{ matrix_rustpush_bridge_appservice_bot_displayname | to_json(ensure_ascii=False) }}
+        avatar: {{ matrix_rustpush_bridge_appservice_bot_avatar | to_json }}
+
+    ephemeral_events: true
+    async_transactions: false
+
+    as_token: {{ matrix_rustpush_bridge_appservice_token | to_json }}
+    hs_token: {{ matrix_rustpush_bridge_homeserver_token | to_json }}
+
+    # Localpart template of MXIDs for remote users.
+    username_template: {{ matrix_rustpush_bridge_appservice_username_template | to_json }}
+
+# Config options that affect the Matrix connector of the bridge.
+matrix:
+    message_status_events: false
+    delivery_receipts: false
+    message_error_notices: true
+    sync_direct_chat_list: true
+    federate_rooms: {{ matrix_rustpush_bridge_matrix_federate_rooms | to_json }}
+    upload_file_threshold: 5242880
+
+# Segment-compatible analytics endpoint for tracking some events.
+analytics:
+    token: null
+    url: https://api.segment.io/v1/track
+    user_id: null
+
+# Settings for provisioning API
+provisioning:
+    prefix: /_matrix/provision
+    shared_secret: {{ matrix_rustpush_bridge_provisioning_shared_secret | to_json }}
+    allow_matrix_auth: true
+    debug_endpoints: false
+
+# Settings for backfilling messages.
+backfill:
+    enabled: {{ matrix_rustpush_bridge_backfill_enabled | to_json }}
+    max_initial_messages: {{ matrix_rustpush_bridge_backfill_max_initial_messages | to_json }}
+    max_catchup_messages: {{ matrix_rustpush_bridge_backfill_max_catchup_messages | to_json }}
+    unread_hours_threshold: 720
+    threads:
+        max_initial_messages: 50
+    queue:
+        enabled: false
+        batch_size: 100
+        batch_delay: 20
+        max_batches: -1
+        max_batches_override: {}
+
+# Settings for enabling double puppeting
+double_puppet:
+    servers: {}
+    allow_discovery: false
+    secrets: {{ matrix_rustpush_bridge_double_puppet_secrets | to_json }}
+
+# End-to-bridge encryption support options.
+encryption:
+    allow: {{ matrix_rustpush_bridge_bridge_encryption_allow | to_json }}
+    default: {{ matrix_rustpush_bridge_bridge_encryption_default | to_json }}
+    require: {{ matrix_rustpush_bridge_bridge_encryption_require | to_json }}
+    appservice: {{ matrix_rustpush_bridge_bridge_encryption_appservice | to_json }}
+    msc4190: {{ matrix_rustpush_bridge_msc4190_enabled | to_json }}
+    self_sign: {{ matrix_rustpush_bridge_self_sign_enabled | to_json }}
+    allow_key_sharing: {{ matrix_rustpush_bridge_bridge_encryption_key_sharing_allow | to_json }}
+    pickle_key: {{ matrix_rustpush_bridge_bridge_encryption_pickle_key | to_json }}
+    delete_keys:
+        delete_outbound_on_ack: false
+        dont_store_outbound: false
+        ratchet_on_decrypt: false
+        delete_fully_used_on_decrypt: false
+        delete_prev_on_new_session: false
+        delete_on_device_delete: false
+        periodically_delete_expired: false
+        delete_outdated_inbound: false
+    verification_levels:
+        receive: unverified
+        send: unverified
+        share: cross-signed-tofu
+    rotation:
+        enable_custom: false
+        milliseconds: 604800000
+        messages: 100
+        disable_device_change_key_rotation: false
+
+# Logging config.
+logging:
+    min_level: {{ matrix_rustpush_bridge_logging_level | to_json }}
+    writers:
+        - type: stdout
+          format: pretty-colored

roles/custom/matrix-bridge-rustpush/templates/config.yaml.j2.license

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-bridge-rustpush/templates/labels.j2

@@ -0,0 +1,53 @@
+{#
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_rustpush_bridge_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_rustpush_bridge_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_rustpush_bridge_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-rustpush-bridge-metrics.loadbalancer.server.port=8000
+
+{% if matrix_rustpush_bridge_container_labels_metrics_enabled %}
+############################################################
+#                                                          #
+# Metrics                                                  #
+#                                                          #
+############################################################
+
+{% if matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled %}
+traefik.http.middlewares.matrix-rustpush-bridge-metrics-basic-auth.basicauth.users={{ matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users }}
+traefik.http.routers.matrix-rustpush-bridge-metrics.middlewares=matrix-rustpush-bridge-metrics-basic-auth
+{% endif %}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.rule={{ matrix_rustpush_bridge_container_labels_metrics_traefik_rule }}
+
+{% if matrix_rustpush_bridge_container_labels_metrics_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-rustpush-bridge-metrics.priority={{ matrix_rustpush_bridge_container_labels_metrics_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.service=matrix-rustpush-bridge-metrics
+traefik.http.routers.matrix-rustpush-bridge-metrics.entrypoints={{ matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints }}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.tls={{ matrix_rustpush_bridge_container_labels_metrics_traefik_tls | to_json }}
+{% if matrix_rustpush_bridge_container_labels_metrics_traefik_tls %}
+traefik.http.routers.matrix-rustpush-bridge-metrics.tls.certResolver={{ matrix_rustpush_bridge_container_labels_metrics_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Metrics                                                 #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% endif %}
+
+{{ matrix_rustpush_bridge_container_labels_additional_labels }}

roles/custom/matrix-bridge-rustpush/templates/labels.j2.license

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-bridge-rustpush/templates/systemd/matrix-rustpush-bridge.service.j2

@@ -0,0 +1,51 @@
+#jinja2: lstrip_blocks: True
+[Unit]
+Description=Matrix RustPush bridge
+{% for service in matrix_rustpush_bridge_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_rustpush_bridge_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-rustpush-bridge 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rustpush-bridge 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-rustpush-bridge \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_rustpush_bridge_container_network }} \
+			--env HOME=/data \
+{% if matrix_rustpush_bridge_rust_log %}			--env RUST_LOG={{ matrix_rustpush_bridge_rust_log }} \
+{% endif %}			--mount type=bind,src={{ matrix_rustpush_bridge_config_path }},dst=/config \
+			--mount type=bind,src={{ matrix_rustpush_bridge_data_path }},dst=/data \
+			--label-file={{ matrix_rustpush_bridge_base_path }}/labels \
+			--entrypoint /usr/local/bin/matrix-rustpush \
+			{% for arg in matrix_rustpush_bridge_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_rustpush_bridge_container_image }} \
+			-c /config/config.yaml -r /config/registration.yaml
+
+{% for network in matrix_rustpush_bridge_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-rustpush-bridge
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-rustpush-bridge
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-rustpush-bridge 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rustpush-bridge 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-rustpush-bridge
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-bridge-rustpush/templates/systemd/matrix-rustpush-bridge.service.j2.license

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.21
+matrix_client_element_version: v1.12.22
 
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.5.1
+matrix_client_fluffychat_version: v2.7.2
 matrix_client_fluffychat_container_image: "{{ matrix_client_fluffychat_container_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_container_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_container_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -13,7 +14,7 @@ matrix_continuwuity_enabled: true
 matrix_continuwuity_hostname: ''
 
 # renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
-matrix_continuwuity_version: v0.5.9
+matrix_continuwuity_version: v0.5.10
 
 matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
 matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"
@@ -190,7 +191,9 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true
 
-# If set, registration will require Google ReCAPTCHA verification.
+# Configuring both of these settings makes registration require Google ReCAPTCHA verification.
+# Both must be set together (or both left empty). Setting only one of them is a configuration error.
+# When both are set, ReCAPTCHA gets enabled automatically (see `matrix_continuwuity_recaptcha_enabled` in `vars/main.yml`).
 matrix_continuwuity_config_recaptcha_site_key: ''
 matrix_continuwuity_config_recaptcha_private_site_key: ''
 

roles/custom/matrix-continuwuity/tasks/validate_config.yml

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -36,3 +37,11 @@
     - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream'}
     - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream_default', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream_default'}
     - {'old': 'matrix_continuwuity_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
+
+- name: Fail if Continuwuity ReCAPTCHA is only partially configured
+  ansible.builtin.fail:
+    msg: >-
+      You have configured only one of `matrix_continuwuity_config_recaptcha_site_key` and
+      `matrix_continuwuity_config_recaptcha_private_site_key`. Configure both to enable ReCAPTCHA
+      registration, or leave both empty to disable it.
+  when: "(matrix_continuwuity_config_recaptcha_site_key | string | length > 0) != (matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0)"

roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2

@@ -2,6 +2,7 @@
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-FileCopyrightText: 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2025 Suguru Hirahara
+SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -490,6 +491,7 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 #
 #registration_token_file =
 
+{% if matrix_continuwuity_recaptcha_enabled %}
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -509,6 +511,7 @@ recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json
 # even if `recaptcha_site_key` is set.
 #
 recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
+{% endif %}
 
 # Controls whether encrypted rooms and events are allowed.
 #

roles/custom/matrix-continuwuity/vars/main.yml

@@ -1,9 +1,15 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
 
+# Continuwuity has no dedicated "enable ReCAPTCHA" setting. It enables ReCAPTCHA registration based on the
+# presence of a recaptcha private site key, so we only render the keys when both have been configured.
+# This avoids rendering empty keys, which would otherwise enable a broken ReCAPTCHA flow.
+matrix_continuwuity_recaptcha_enabled: "{{ matrix_continuwuity_config_recaptcha_site_key | string | length > 0 and matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0 }}"
+
 matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions"
 matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

roles/custom/matrix-element-admin/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.11
+matrix_element_admin_version: 0.1.12
 
 matrix_element_admin_scheme: https
 

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.20.1
+matrix_element_call_version: v0.20.2
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-ketesa/defaults/main.yml

@@ -27,7 +27,7 @@ matrix_ketesa_container_image_self_build: false
 matrix_ketesa_container_image_self_build_repo: "https://github.com/etkecc/ketesa.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/ketesa
-matrix_ketesa_version: v1.2.1
+matrix_ketesa_version: v1.3.0
 matrix_ketesa_container_image: "{{ matrix_ketesa_container_image_registry_prefix }}etkecc/ketesa:{{ matrix_ketesa_version }}"
 matrix_ketesa_container_image_registry_prefix: "{{ 'localhost/' if matrix_ketesa_container_image_self_build else matrix_ketesa_container_image_registry_prefix_upstream }}"
 matrix_ketesa_container_image_registry_prefix_upstream: "{{ matrix_ketesa_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -125,3 +125,14 @@ matrix_livekit_jwt_service_systemd_required_services_list_custom: []
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_livekit_jwt_service_restart_necessary: false
+
+# Support additional container arguments for the LiveKit JWT service
+matrix_livekit_jwt_service_container_additional_arguments: []
+
+# A list of additional "volumes" to mount in the container.
+# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
+# See the `--mount` documentation for the `docker run` command.
+# Note: internally, this uses the `--mount` flag for mounting the specified volumes.
+matrix_livekit_jwt_service_container_additional_volumes: "{{ matrix_livekit_jwt_service_container_additional_volumes_auto + matrix_livekit_jwt_service_container_additional_volumes_custom }}"
+matrix_livekit_jwt_service_container_additional_volumes_auto: []
+matrix_livekit_jwt_service_container_additional_volumes_custom: []

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -22,6 +22,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
     {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
     -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_container_port }} \
     {% endif %}
+    {% for volume in matrix_livekit_jwt_service_container_additional_volumes %}
+    --mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
+    {% endfor %}
+    {% for arg in matrix_livekit_jwt_service_container_additional_arguments %}
+    {{ arg }} \
+    {% endfor %}
     --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
     --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \
     {{ matrix_livekit_jwt_service_container_image }}

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.154.0
+matrix_synapse_version: v1.155.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1852,7 +1852,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.31.1-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.31.2-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

setup.yml

@@ -71,6 +71,7 @@
     - custom/matrix-bridge-mautrix-discord
     - custom/matrix-bridge-mautrix-slack
     - custom/matrix-bridge-mautrix-bluesky
+    - custom/matrix-bridge-rustpush
     - custom/matrix-bridge-mx-puppet-groupme
     - custom/matrix-bridge-mx-puppet-steam
     - custom/matrix-bridge-postmoogle