Automatic translations update

matrix-tuwunel: update cache_capacity_modifier docs example for v1.7.0
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5262 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 19:17:31 +03:00 · 2026-05-21 19:21:30 +00:00 · 2026-05-21 22:20:15 +03:00 · 2026-05-21 22:19:48 +03:00 · 2026-05-21 13:52:28 +03:00 · 2026-05-21 13:42:04 +03:00
314 changed files with 9707 additions and 7741 deletions
@@ -32,7 +32,7 @@ jobs:
      # Setting up recommended prerequisites
      # See: i18n/README.md
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@v8.1.0
      - uses: extractions/setup-just@v4
      # TODO: optimize when we start publishing translations and integrate a Weblate instance
@@ -1,3 +1,71 @@
 # 2026-05-19
 ## matrix-registration has been removed from the playbook
 The [matrix-registration](./docs/configuring-playbook-matrix-registration.md) service has been removed from the playbook, as it has been unmaintained (archived) since November, 2025.
 The playbook will let you know if you're using any `matrix_registration_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the component manually](./docs/configuring-playbook-matrix-registration.md#uninstalling-the-component-manually).
 # 2026-05-18
 ## LiveKit Server has been upgraded to v1.12.0
 The playbook now ships [LiveKit Server](./docs/configuring-playbook-livekit-server.md) v1.12.0. See the [upstream release notes](https://github.com/livekit/livekit/releases/tag/v1.12.0) for details.
 This release tightens TURN security:
 - **TURN credentials now carry a TTL** (default: 300 seconds), exposed via `livekit_server_config_turn_ttl_seconds`.
 - **TURN no longer relays traffic to restricted peer CIDRs** (loopback, link-local, multicast, private, unspecified) by default. If your setup legitimately requires it, list the ranges in `livekit_server_config_turn_allow_restricted_peer_cidrs`.
    For example, to allow TURN to reach the common [RFC1918](https://www.rfc-editor.org/rfc/rfc1918) private ranges, add to your `vars.yml`:
    ```yaml
    livekit_server_config_turn_allow_restricted_peer_cidrs:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
    ```
    Adjust the ranges to match your network. To deny specific CIDRs (taking precedence over the allow list above), use `livekit_server_config_turn_deny_peer_cidrs` in the same shape.
 # 2026-05-07
 ## Tuwunel support
 Thanks to [Jason Volk](https://github.com/jevolk), the playbook now supports the [Tuwunel](./docs/configuring-playbook-tuwunel.md) homeserver as an optional alternative to Synapse.
 Tuwunel is a fork of [conduwuit](./docs/configuring-playbook-conduwuit.md) written in Rust. The former conduwuit maintainer [endorses Tuwunel as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185). Like [Continuwuity](./docs/configuring-playbook-continuwuity.md), Tuwunel continues development on top of conduwuit's database format.
 Existing installations do **not** need to be updated. **Synapse is still the default homeserver implementation** installed by the playbook.
 People that used to run conduwuit may wish to [migrate from conduwuit to Tuwunel](./docs/configuring-playbook-tuwunel.md#migrating-from-conduwuit) via the new `tuwunel-migrate-from-conduwuit` tag, which performs an in-place binary-swap migration that reads the conduwuit database directly.
 **The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse/Conduit/Dendrite/Continuwuity to Tuwunel) without data loss. The exception is conduwuit, due to the shared database format.
 # 2026-04-24
 ## Support for bridging to Meshtastic via meshtastic-matrix-relay
 Thanks to [luschmar](https://github.com/luschmar), the playbook now supports bridging to [Meshtastic](https://meshtastic.org/) mesh networks via [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (mmrelay).
 To learn more, see our [Setting up a Matrix <-> Meshtastic bridge](./docs/configuring-playbook-bridge-meshtastic-relay.md) documentation page.
 ## (BC Break) mautrix-telegram has been rewritten in Go (bridgev2)
 The [mautrix-telegram](./docs/configuring-playbook-bridge-mautrix-telegram.md) bridge has been [rewritten in Go](https://mau.fi/blog/2026-04-mautrix-release/) on top of the [bridgev2](https://docs.mau.fi/bridges/go/) architecture. See the [upstream v26.04 release notes](https://github.com/mautrix/telegram/releases/tag/v0.2604.0) for what changed in the bridge itself (shared-portal behavior, management-room state, new features, etc.).
 **Most users won't have to do anything.** If you use the playbook's integrated Postgres (the default) and haven't customized telegram-bridge variables beyond `matrix_mautrix_telegram_api_id` and `matrix_mautrix_telegram_api_hash`, just re-run the playbook; the bridge will migrate itself on first start. Taking a backup beforehand is still a good idea.
 ⚠️ **SQLite users: do not upgrade yet.** Upstream v0.2604.0 has a [known bug in the legacy SQLite migration](https://github.com/mautrix/telegram/releases/tag/v0.2604.0) that can corrupt your data. The playbook detects this case and will refuse to proceed. Either switch to Postgres first (set `matrix_mautrix_telegram_database_engine: postgres`; the playbook handles the pgloader migration), or wait for the next upstream release.
 Playbook-specific things to know. The playbook will fail loudly if you're affected:
 - Many `matrix_mautrix_telegram_*` variables have been **removed** (web-login endpoint, lottieconverter, username/alias/displayname templates, filter-mode, bot-token relaybot, Shared-Secret-Auth map). The deprecation check will tell you exactly what to rename or drop when you run the playbook.
 - **Old-style relaybot users** (`matrix_mautrix_telegram_bot_token`): switch to the common [mautrix bridge relay mode](./docs/configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional) via `matrix_mautrix_telegram_bridge_relay_enabled: true`.
 - **Shared-Secret-Auth double-puppeting users**: switch to [Appservice Double Puppet](./docs/configuring-playbook-appservice-double-puppet.md); the playbook wires it up automatically.
 - **Custom `matrix_mautrix_telegram_bridge_permissions`**: map `relaybot` to `relay`, `puppeting` to `user`, `full` to `user`. Validated at playbook time.
 # 2026-04-03
 ## (BC Break) Synapse Admin (fork by etke.cc) is now Ketesa
@@ -4,7 +4,7 @@
 ## 🎯 Purpose
-This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#supported-services) related to that.
+This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#-supported-services) related to that.
 That is, it lets you join the Matrix network using your own user ID like `@alice:example.com`, all hosted on your own server (see [prerequisites](docs/prerequisites.md)).
@@ -53,6 +53,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
 | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
 | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
 | [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. | [Link](docs/configuring-playbook-continuwuity.md) |
 | [Tuwunel](https://matrix-construct.github.io/tuwunel/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit. | [Link](docs/configuring-playbook-tuwunel.md) |
 | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
 ### Clients
@@ -92,7 +93,6 @@ Extend and modify how users are authenticated on your homeserver.
 |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | ❌ | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) |
 | [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | ❌ | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) |
 | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | ❌ | Proxy that handles Matrix registration requests and forwards them to LDAP | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) |
 | [matrix-registration](https://github.com/ZerataX/matrix-registration) | ❌ | Simple python application to have a token based Matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) |
 | [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) | ❌ | Service to verify details of a user based on an Open ID token | [Link](docs/configuring-playbook-user-verification-service.md) |
 | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | ❌ | Spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) |
@@ -121,7 +121,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mautrix-bluesky](https://github.com/mautrix/bluesky) | ❌ | Bridge to [Bluesky](https://bsky.social/) | [Link](docs/configuring-playbook-bridge-mautrix-bluesky.md) |
 | [mautrix-twitter](https://github.com/mautrix/twitter) | ❌ | Bridge to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) |
 | [mautrix-googlechat](https://github.com/mautrix/googlechat) | ❌ | Bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) |
-| [mautrix-meta](https://github.com/mautrix/instagram) | ❌ | Bridge to [Messenger](https://messenger.com/) and [Instagram](https://instagram.com/) | Link for [Messenger](docs/configuring-playbook-bridge-mautrix-meta-messenger.md) / [Instagram](docs/configuring-playbook-bridge-mautrix-meta-instagram.md) |
+| [mautrix-meta](https://github.com/mautrix/meta) | ❌ | Bridge to [Messenger](https://messenger.com/) and [Instagram](https://instagram.com/) | Link for [Messenger](docs/configuring-playbook-bridge-mautrix-meta-messenger.md) / [Instagram](docs/configuring-playbook-bridge-mautrix-meta-instagram.md) |
 | [mautrix-signal](https://github.com/mautrix/signal) | ❌ | Bridge to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) |
 | [beeper-linkedin](https://github.com/beeper/linkedin) | ❌ | Bridge to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) |
 | [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | ❌ | Bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) |
@@ -132,6 +132,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
 | [matrix-wechat](https://github.com/duo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) | [Link](docs/configuring-playbook-bridge-wechat.md) |
 | [Heisenbridge](https://github.com/hifi/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) |
 | [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) | ❌ | Bridge to [Meshtastic](https://meshtastic.org/) mesh networks | [Link](docs/configuring-playbook-bridge-meshtastic-relay.md) |
 | [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
 | [mx-puppet-steam](https://codeberg.org/icewind/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |
 | [Postmoogle](https://github.com/etkecc/postmoogle) | ❌ | Email to Matrix bridge | [Link](docs/configuring-playbook-bridge-postmoogle.md) |
@@ -1,4 +1,25 @@
 ---
 # This file is not used by the playbook's standard CLI installation flow.
 # Roles are pulled via `make roles` / `just roles`, which call
 # `ansible-galaxy install -r requirements.yml -p roles/galaxy/`.
 # Collections are not installed by that command, and the playbook relies
 # on whatever `community.*` collections ship with the user's `ansible`
 # package (which has been recent enough for years).
 #
 # This file exists for AWX / Ansible Automation Platform users, which
 # auto-detect `collections/requirements.yml` during project sync and
 # install the listed collections. See:
 # https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/87a2240dc
 #
 # CLI users do not need to install anything from this file. If you are
 # using AWX and a collection version below the floor declared here is
 # present, AWX will upgrade it.
 collections:
  - name: community.general
  - name: community.docker
    # `community.docker.docker_image_pull` and `community.docker.docker_image_build`
    # are used by some roles (e.g. matrix-bot-draupnir,
    # matrix-appservice-draupnir-for-all) and are first available in
    # community.docker 3.6.0 (Jan 2024 / Ansible 9.2.0).
    version: ">=3.6.0"
@@ -1,4 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 SPDX-FileCopyrightText: 2024 MDAD project contributors
@@ -13,34 +14,54 @@ Appservice mode can be used together with the regular [Draupnir bot](configuring
 ## Draupnir Appservice mode compared to Draupnir bot mode
-The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode except in the case of avatar customisation as described later on in this document.
+The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode.
-Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All (Even though the commands do show up in help).
+Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All.
 Draupnir for all in the playbook is rate-limit-exempt automatically as its appservice configuration file does not specify any rate limits.
-Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as D4A even on the branch with the Avatar command (To be Upstreamed to Mainline Draupnir) that command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this is a quick operation where you login to Draupnir with a normal client and set Avatar and Display name normally.
+Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as the avatar command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this can be done while logged in to the Draupnir account with a normal client and set Avatar and Display name normally.
-Draupnir for all does not support external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account.
+Draupnir for all only has limited support for external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account.
 ## Prerequisites
-### Create a main management room
+### Prerequisites for Zero Touch Deployment (recommended)
-The playbook does not create a management room for your Main Draupnir. You **need to create the room manually** before setting up the bot.
+As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir Appservice Mode (Draupnir for all) requires you to supply the following:
 - MXID of the first person who gets invited to the admin room that the bot creates for you.
 That is all. The appservice manages everything on its own after you provide it with an MXID to invite.
 If proceeding with Zero Touch Deployment, skip ahead to [Adjusting the playbook configuration](#adjusting-the-playbook-configuration).
 ### Create an admin room (optional)
 The playbook does not create an admin room for your Draupnir, but the appservice itself can do this for you. Alternatively, you **can create the room manually** before setting up the bot.
 Note that the room must be unencrypted.
-The management room has to be given an alias, and your bot has to be invited to the room.
+The admin room has to be given an alias, and your bot has to be invited to the room.
-This management room is used to control who has access to your D4A deployment. The room stores this data inside of the control room state so your bot must have sufficient powerlevel to send custom state events. This is default 50 or moderator as Element clients call this powerlevel.
+This admin room is used to control who has access to your D4A deployment. The room stores this data in the control room state, so your bot must have sufficient power level to send custom state events. This is `50` by default (moderator, as Element clients call this power level).
 > [!WARNING]
 > Anyone in this room can control the bot so it is important that you only invite trusted users to this room.
 ## Adjusting the playbook configuration
-Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE`.
+When using Zero Touch Deployment, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the admin room first.
 ```yaml
 matrix_appservice_draupnir_for_all_enabled: true
 matrix_appservice_draupnir_for_all_zero_touch_deploy: true
 matrix_appservice_draupnir_for_all_config_initialManager: "INITIAL_MANAGER_MXID_HERE"
 ```
 If opting out of Zero Touch Deployment, use the following configuration block instead. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE` with the alias of the admin room you have created earlier.
 ```yaml
 matrix_appservice_draupnir_for_all_enabled: true
@@ -48,6 +69,14 @@ matrix_appservice_draupnir_for_all_enabled: true
 matrix_appservice_draupnir_for_all_config_adminRoom: "MANAGEMENT_ROOM_ALIAS_HERE"
 ```
 ### Running both bot mode and appservice mode
 When running both [bot mode](./configuring-playbook-bot-draupnir.md) and appservice mode, the playbook will force-restart
 the bot if running a non-release tag like `latest` or `main` or a development build.
 This is due to the conditional restart logic not being able to reliably tell when an update happened.
 Conditional restarts work correctly for all tags when running only one of these two operating modes.
 ### Extending the configuration
 There are some additional things you may wish to configure about the component.
@@ -95,20 +124,26 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ## Usage
-If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it.
+If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com`, you have successfully installed Draupnir for All and can now start using it.
-The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode.
+If using Zero Touch Deployment, the flow is reversed and the success signal is the initial manager account being invited to the admin room.
 Draupnir for all installation via this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode, except that protections requiring homeserver admin access are not available, and the config file is shared between all bots so legacy protections like wordlist share a single global config.
 ### Granting Users the ability to use D4A
 Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended.
-The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))
+The bot requires a power level of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297).) This issue is largely mitigated by the Zero Touch Deployment workflows introduced in Draupnir 3.1.0.
-To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.
+To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to provision a bot. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.
 ### How to provision a D4A once you are allowed to
-To provision a D4A, you need to start a chat with `@draupnir-main:example.com`. The bot will reject this invite and you will shortly get invited to the Draupnir control room for your newly provisioned Draupnir. From here its just a normal Draupnir experience.
+Once someone is allowed to provision a bot, simply provision them one with `!admin provision MXID`.
-Congratulations if you made it all the way here because you now have a fully working Draupnir for all deployment.
+Self-service provisioning is disabled as a security measure because it is currently bugged. Force-provisioning (with `!admin provision`) bypasses this disabled status.
 Note that you should always make sure there is an allow entry matching whoever is provisioned, because once self-service is fixed, the bot of anyone who is not allowed to provision a bot will refuse to start.
 Congratulations if you made it all the way here, because you now have a fully working Draupnir for all deployment.
@@ -1,4 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
 SPDX-FileCopyrightText: 2023 Kim Brose
 SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
@@ -19,7 +20,17 @@ If your migrating from [Mjolnir](configuring-playbook-bot-mjolnir.md), skip to [
 ## Prerequisites
-### Create a management room
+### Prerequisites for Zero Touch Deployment (recommended)
 As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir bot mode requires you to supply the following:
 - MXID of the first person who gets invited to the management room that the bot creates for you.
 - A permanent access token for authentication. Instructions for obtaining one can be found at [obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl).
 - A user account for Draupnir.
 Zero Touch Deployment is the officially preferred installation method for new deployments of Draupnir as of 3.1.0.
 ### Create a management room (optional)
 Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room.
@@ -28,6 +39,8 @@ Using your own account, create a new invite only room that you will use to manag
 It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support)).
 E2EE support for the management room is mutually exclusive with Zero Touch Deployment of Draupnir.
 Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking "Advanced". The room ID will look something like `!qporfwt:example.com`.
 ## End-to-End Encryption support
@@ -63,7 +76,25 @@ matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"
 ## Adjusting the playbook configuration
-To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the one of the room which you have created earlier.
+### Configuration for Zero Touch Deployment (recommended)
 To enable the bot using Zero Touch Deployment, add the following configuration to your `vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the management room first, and `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained.
 ```yaml
 # Enable Draupnir
 matrix_bot_draupnir_enabled: true
 matrix_bot_draupnir_zero_touch_deploy: true
 matrix_bot_draupnir_config_initialManager: "INITIAL_MANAGER_MXID_HERE"
 # Access token which the bot will use for logging in.
 matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"
 ```
 ### Configuration without Zero Touch Deployment
 If you'd prefer to have the bot manage its own login at the cost of having to create the management room manually, you can use native login with the configuration block below. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the ID of the management room you have created earlier.
 ```yaml
 # Enable Draupnir
@@ -82,7 +113,15 @@ matrix_bot_draupnir_login_native: true
 matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
 ```
-### Create and invite the bot to the management room
+### Running both bot mode and appservice mode
 When running both bot mode and [appservice mode (Draupnir for all)](./configuring-playbook-appservice-draupnir-for-all.md), the
 playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build.
 This is due to the conditional restart logic not being able to reliably tell when an update happened.
 Conditional restarts work correctly for all tags when running only one of these two operating modes.
 ### Create and invite the bot to the management room (only when using native login without Zero Touch Deployment)
 Before proceeding to the next step, run the playbook with the following command to create the bot user.
@@ -94,6 +133,12 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use
 Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier.
 ### Creating a user account for the bot (when using Zero Touch Deployment)
 Since Zero Touch Deployment is not validated with native login, you will need to create the user account manually.
 Refer to [registering users](registering-users.md) for documentation on how to configure the user account.
 ### Make sure the account is free from rate limiting (optional, recommended)
 If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**
@@ -106,7 +151,7 @@ The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a
 #### Add the configuration
-To expose the APIs publicly, add the following configuration to your `vars.yml` file:
+This is automatically done if Ketesa is enabled. Otherwise, to expose the APIs publicly, add the following configuration to your `vars.yml` file:
 ```yaml
 matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true
@@ -132,6 +177,7 @@ curl --header "Authorization: Bearer ADMIN_ACCESS_TOKEN_HERE" -X POST https://ma
 ```
 **Notes**:
 - This does not work on outdated Windows 10 as curl is not available there.
 - Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally.
@@ -157,13 +203,14 @@ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: true
 matrix_bot_draupnir_admin_api_enabled: true
 ```
-These protections need to be manually activated and consulting the [enabling protections](#enabling-built-in-protections) guide can be helpful or consulting upstream documentation.
+These protections need to be manually activated. Consulting the [enabling protections](#enabling-built-in-protections) guide and/or upstream documentation can be helpful.
-<!--
+The other method polls a Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin. To enable it, set `pollReports: true` in your `vars.yml` file as below:
 NOTE: this is unsupported by the playbook due to the admin API being inaccessible from containers currently.
-The other method polls an Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin (see [above](#register-the-bot-account)). To enable it, set `pollReports: true` on `vars.yml` file as below.
+```yaml
-->
+matrix_bot_draupnir_configuration_extension_yaml: |
  pollReports: true
 ```
 ### Extending the configuration
@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
+SPDX-FileCopyrightText: 2018 - 2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2018 Hugues Morisset
 SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -17,7 +17,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 The playbook can install and configure [mautrix-telegram](https://github.com/mautrix/telegram) for you.
-See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/index.html) to learn what it does and why it might be useful to you.
+See the project's [documentation](https://docs.mau.fi/bridges/go/telegram/index.html) to learn what it does and why it might be useful to you.
 ## Prerequisites
@@ -25,18 +25,12 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/in
 To use the bridge, you'd need to obtain an API key from [https://my.telegram.org/apps](https://my.telegram.org/apps).
-### Enable Appservice Double Puppet or Shared Secret Auth (optional)
+### Enable Appservice Double Puppet (optional)
-If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) or [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
+If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting.
 **Notes**:
 - Double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future.
 - If you decided to enable Double Puppeting manually, send `login-matrix` to the bot in order to receive an instruction about how to send an access token to it.
 ## Adjusting the playbook configuration
 To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `YOUR_TELEGRAM_APP_ID` and `YOUR_TELEGRAM_API_HASH`.
@@ -49,37 +43,16 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
 ### Relaying
-### Enable relay-bot (optional)
+This bridge supports the common [mautrix bridge relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional). Once enabled, any authenticated user can be turned into a relaybot for a chat by sending `!tg set-relay` in that chat.
 If you want to use the relay-bot feature ([relay bot documentation](https://docs.mau.fi/bridges/python/telegram/relay-bot.html)), which allows anonymous user to chat with telegram users, add the following configuration to your `vars.yml` file:
 ```yaml
 matrix_mautrix_telegram_bot_token: YOUR_TELEGRAM_BOT_TOKEN
 matrix_mautrix_telegram_configuration_extension_yaml: |
  bridge:
    permissions:
      '*': relaybot
 ```
 ### Configure a user as an administrator of the bridge (optional)
 You might also want to give permissions to a user to administrate the bot. See [this section](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional) on the common guide for details about it.
 More details about permissions in this example: https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml#L410
 ### Use the bridge for direct chats only (optional)
 If you want to exclude all groups from syncing and use the Telegram-Bridge only for direct chats, add the following configuration to your `vars.yml` file:
 ```yaml
 matrix_mautrix_telegram_filter_mode: whitelist
 ```
 ### Extending the configuration
 There are some additional things you may wish to configure about the bridge.
 <!-- NOTE: common relay mode is not supported for this bridge -->
 See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.
 ## Installing
@@ -99,9 +72,9 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 To use the bridge, you need to start a chat with `@telegrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).
-You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/telegram/authentication.html).
+You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/telegram/authentication.html).
-After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them. Note that the bridge won't automatically create rooms for private chats.
+After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them.
 ## Troubleshooting
@@ -109,8 +82,9 @@ As with all other services, you can find the logs in [systemd-journald](https://
 ### Increase logging verbosity
-The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
+The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
 ```yaml
-matrix_mautrix_telegram_logging_level: DEBUG
+# Valid values: fatal, error, warn, info, debug, trace
 matrix_mautrix_telegram_logging_level: debug
 ```
@@ -0,0 +1,95 @@
 <!--
 SPDX-FileCopyrightText: 2025 - 2026 luschmar
 SPDX-FileCopyrightText: 2026 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 # Setting up a Matrix <-> Meshtastic bridge (optional)
 The playbook can install and configure [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (sometimes referred to as `mmrelay`) for you — a bridge between [Matrix](https://matrix.org/) and [Meshtastic](https://meshtastic.org/) mesh networks.
 See the [project's documentation](https://github.com/jeremiah-k/meshtastic-matrix-relay) to learn what it does and why it might be useful to you.
 ## Prerequisites
 You need a Matrix account for the bot. You can either [register the bot account manually](registering-users.md) or let the playbook create it when running `ansible-playbook … --tags=ensure-matrix-users-created`. Either way, you'll need the account's **password** to configure the bridge — unlike most other bridges in this playbook, `mmrelay` authenticates with a password and creates its own session (optionally with End-to-End Encryption material).
 You also need access to a Meshtastic device, connected to the server via one of:
 - **TCP**: the device is reachable on the network (e.g. a Meshtastic node running the TCP API),
 - **Serial**: the device is plugged in via USB and available on the host (e.g. `/dev/ttyUSB0`),
 - **BLE**: the device is reachable via Bluetooth Low Energy from the host.
 ## Adjusting the playbook configuration
 To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 ```yaml
 matrix_meshtastic_relay_enabled: true
 # Password for the bot's Matrix account.
 # On first startup, the bridge uses this to log in and persist credentials
 # (including End-to-End Encryption material) under its data directory.
 # After that, the password can be removed from this variable.
 matrix_meshtastic_relay_matrix_bot_password: "PASSWORD_FOR_THE_BOT"
 # How the bridge connects to your Meshtastic device.
 # One of: tcp, serial, ble
 matrix_meshtastic_relay_connection_type: tcp
 # For connection_type: tcp
 matrix_meshtastic_relay_tcp_host: "meshtastic.local"
 # For connection_type: serial
 # matrix_meshtastic_relay_serial_port: "/dev/ttyUSB0"
 # For connection_type: ble
 # matrix_meshtastic_relay_ble_address: "AA:BB:CC:DD:EE:FF"
 # Matrix rooms to bridge to Meshtastic channels.
 matrix_meshtastic_relay_matrix_rooms_list:
  - id: "#meshtastic:{{ matrix_domain }}"
    meshtastic_channel: "0"
 ```
 By default, the bot's Matrix ID is `@meshtasticbot:{{ matrix_domain }}`. To change it, adjust `matrix_meshtastic_relay_matrix_bot_user_id`.
 ### Bluetooth (BLE) connections
 When `matrix_meshtastic_relay_connection_type` is `ble`, the container runs with `--network=host` and bind-mounts the host's DBus socket — both are required for Bluetooth pairing/communication. Only use this connection type if you trust the playbook-managed host and are comfortable with these privileges.
 ### Serial connections
 When `matrix_meshtastic_relay_connection_type` is `serial`, the host device referenced by `matrix_meshtastic_relay_serial_port` is passed through to the container. Make sure that `matrix_user_uid` / `matrix_user_gid` have read/write access to that device (e.g. by adding the matrix user to the `dialout` group, or adjusting udev rules).
 ### Extending the configuration
 There are some additional things you may wish to configure about the bridge.
 Take a look at:
 - `roles/custom/matrix-bridge-meshtastic-relay/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override individual `matrix_meshtastic_relay_*` variables, or make finer-grained adjustments via `matrix_meshtastic_relay_configuration_extension_yaml`.
 ## Installing
 After configuring the playbook, run the playbook with [playbook tags](playbook-tags.md) as below:
 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`.
 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
 ## Usage
 Invite the bot to the Matrix rooms listed in `matrix_meshtastic_relay_matrix_rooms_list` and it will relay between Matrix and the corresponding Meshtastic channel. Messages sent on Meshtastic will appear in Matrix and vice versa.
 See the [project's wiki](https://github.com/jeremiah-k/meshtastic-matrix-relay/wiki) for details about commands, plugins and advanced usage.
 ## Troubleshooting
 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-meshtastic-relay`.
@@ -1,6 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2019 Eduardo Beltrame
-SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
+SPDX-FileCopyrightText: 2019-2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2020 Tulir Asokan
 SPDX-FileCopyrightText: 2021, 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2022 Dennis Ciba
@@ -29,13 +29,17 @@ To uninstall the service, run the command below on the server:
 systemctl disable --now matrix-conduwuit.service
 ```
 ## Migrating to Tuwunel
 [Tuwunel](configuring-playbook-tuwunel.md) is a fork of conduwuit, [endorsed as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185) by the former conduwuit maintainer. It reads conduwuit's database directly, so migration is possible. Please refer to [this section](./configuring-playbook-tuwunel.md#migrating-from-conduwuit) for details.
 ## Migrating to Continuwuity
 Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.
 ## Removing data manually
-If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:
+If you are not going to migrate to [Tuwunel](configuring-playbook-tuwunel.md) or [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:
 ```sh
 rm -rf /matrix/conduwuit
@@ -46,6 +46,13 @@ Take a look at:
 There are various Ansible variables that control settings in the `continuwuity.toml` file.
 💡 By default, the playbook wires Continuwuity into a few playbook-wide settings:
 - if `exim_relay_enabled: true` (the default), Continuwuity SMTP is automatically enabled and pointed at the [local Exim relay](configuring-playbook-email.md) service
 - `matrix_continuwuity_config_well_known_client` is automatically set to the public homeserver URL in the usual SSL-enabled setup, which helps email verification and password-reset links work in delegated-domain setups
 You can override any of these defaults in your `vars.yml` file if you want Continuwuity to use a different SMTP server or a different well-known client URL.
 If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:
 ```yaml
@@ -23,7 +23,7 @@ The [Ansible role for exim-relay](https://github.com/mother-of-all-self-hosting/
 1. **Final delivery capability**: Can deliver emails directly if you don't have an SMTP server
-2. **Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), etc.) there—no need to configure SMTP in each component
+2. **Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), [Continuwuity](configuring-playbook-continuwuity.md), etc.) there, with no need to configure SMTP in each component
 3. **Local spooling**: Stores messages locally and retries delivery if your upstream SMTP server is temporarily unavailable
@@ -24,14 +24,14 @@ matrix_synapse_federation_domain_whitelist:
 If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below).
-## Exposing the room directory over federation
+## Controlling exposure of the room directory over federation
-By default, your server's public rooms directory is not exposed to other servers via federation.
+By default, your server's public rooms directory is exposed to other servers via federation, so that public rooms hosted on your server can be discovered by users on other servers. This goes against the Synapse upstream default (which is `false`); see the [2023-10-23 changelog entry](../CHANGELOG.md#enabling-allow_public_rooms_over_federation-by-default-for-synapse) for the reasoning behind this choice.
-To expose it, add the following configuration to your `vars.yml` file:
+To prevent your public rooms directory from being exposed over federation (restoring the Synapse upstream default), add the following configuration to your `vars.yml` file:
 ```yaml
-matrix_synapse_allow_public_rooms_over_federation: true
+matrix_synapse_allow_public_rooms_over_federation: false
 ```
 ## Disabling federation
@@ -11,7 +11,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 The playbook can install and configure the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider for you.
-See the project's [documentation](https://github.com/matrix-org/matrix-synapse-ldap3/blob/main/README.rst) to learn what it does and why it might be useful to you.
+See the project's [documentation](https://github.com/matrix-org/matrix-synapse-ldap3/blob/main/README.md) to learn what it does and why it might be useful to you.
 ## Adjusting the playbook configuration
@@ -61,6 +61,12 @@ livekit_server_container_labels_turn_traefik_entrypoints: "<your-livekit-turn-tr
 and configuring their own Traefik TCP entrypoint dedicated to LiveKit TURN traffic.
 ## TURN access controls
 LiveKit's embedded TURN server enforces a credential TTL and restricts which peer CIDRs it will relay to. The playbook leaves these at the role's secure defaults, which are appropriate for typical deployments where TURN peers live on the public Internet.
 If your setup needs TURN to relay to private/restricted ranges, or you want to override the credential TTL, see the [TURN access controls and credential TTL](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server/blob/main/docs/configuring-livekit-server.md#turn-access-controls-and-credential-ttl) section of the role's documentation.
 ## Limitations
 LiveKit Server's TURN listener behavior depends on where TLS is terminated:
@@ -1,115 +1,36 @@
 <!--
-SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
+SPDX-FileCopyrightText: 2019 Edgars Voroboks
-SPDX-FileCopyrightText: 2022 MDAD project contributors
+SPDX-FileCopyrightText: 2019 Eduardo Beltrame
-SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
+SPDX-FileCopyrightText: 2019-2025 MDAD project contributors
 SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2020 Chris van Dijk
 SPDX-FileCopyrightText: 2020 Tulir Asokan
 SPDX-FileCopyrightText: 2020 jens quade
 SPDX-FileCopyrightText: 2022 Dennis Ciba
 SPDX-FileCopyrightText: 2022 Kim Brose
 SPDX-FileCopyrightText: 2022 Travis Ralston
 SPDX-FileCopyrightText: 2022 Vladimir Panteleev
 SPDX-FileCopyrightText: 2022 Yan Minagawa
 SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
-# Setting up matrix-registration (optional)
+# Setting up matrix-registration (optional, removed)
-> [!WARNING]
+> [!NOTE]
-> - This is a poorly maintained and buggy project. It's better to avoid using it.
+> This is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md).
 > - This is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md)
-The playbook can install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration) for you. It is a simple python application to have a token based Matrix registration.
+🪦 The playbook used to be able to install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration), but no longer includes this component, as it has been unmaintained since November, 2025.
-Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows certain people (these having a special link) to register a user account, **keeping your server's registration closed (private)**.
+## Uninstalling the component manually
-**matrix-registration** provides 2 things:
+If you still have matrix-registration installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:
 - **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
 - **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.example.com/matrix-registration`
 ## Adjusting DNS records (optional)
 By default, this playbook installs the matrix-registration on the `matrix.` subdomain, at the `/matrix-registration` path (https://matrix.example.com/matrix-registration). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section.
 If you wish to adjust it, see the section [below](#adjusting-the-matrix-registration-url-optional) for details about DNS configuration.
 ## Adjusting the playbook configuration
 To enable matrix-registration, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 ```yaml
 matrix_registration_enabled: true
 # Generate a strong secret here. You can create one with a command like `pwgen -s 64 1`.
 matrix_registration_admin_secret: "ENTER_SOME_SECRET_HERE"
 ```
 ### Adjusting the matrix-registration URL (optional)
 By tweaking the `matrix_registration_hostname` and `matrix_registration_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
 Example additional configuration for your `vars.yml` file:
 ```yaml
 # Change the default hostname and path prefix
 matrix_registration_hostname: registration.example.com
 matrix_registration_path_prefix: /
 ```
 If you've changed the default hostname, you may need to create a CNAME record for the matrix-registration domain (`registration.example.com`), which targets `matrix.example.com`.
 When setting, replace `example.com` with your own.
 ### Extending the configuration
 There are some additional things you may wish to configure about the component.
 Take a look at:
 - `roles/custom/matrix-registration/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
 - `roles/custom/matrix-registration/templates/config.yaml.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_registration_configuration_extension_yaml` variable
 ## Installing
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
 ## Usage
 **matrix-registration** gets exposed at `https://matrix.example.com/matrix-registration`
 It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) — for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
 We make the most common APIs easy to use via the playbook (see below).
 ### Creating registration tokens
 To **create a new user registration token (link)**, use this command:
 ```sh
-ansible-playbook -i inventory/hosts setup.yml \
+systemctl disable --now matrix-registration.service
--tags=generate-matrix-registration-token \
+
--extra-vars="one_time=yes ex_date=2021-12-31"
+rm -rf /matrix/matrix-registration
 /matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_registration;'
 ```
 The above command creates and returns a **one-time use** token, which **expires** on the 31st of December 2021. Adjust the `one_time` and `ex_date` variables as you see fit.
 Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
 ### Listing registration tokens
 To **list the existing user registration tokens**, use this command:
 ```sh
 ansible-playbook -i inventory/hosts setup.yml \
 --tags=list-matrix-registration-tokens
 ```
 The shortcut command with `just` program is also available: `just run-tags list-matrix-registration-tokens`
 ## Troubleshooting
 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-registration`.
@@ -38,6 +38,12 @@ matrix_rtc_enabled: true
 In addition to the HTTP/HTTPS ports (which you've already exposed as per the [prerequisites](prerequisites.md) document), you'll also need to open ports required by [LiveKit Server](configuring-playbook-livekit-server.md) as described in its own [Adjusting firewall rules](configuring-playbook-livekit-server.md#adjusting-firewall-rules) section.
 ## Fronting the integrated reverse-proxy with another reverse-proxy
 If you're [fronting the integrated reverse-proxy webserver with another reverse-proxy](configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) (e.g. nginx), it needs to forward WebSocket traffic for [LiveKit Server](configuring-playbook-livekit-server.md) at the `/livekit-server/` path. Without that, Matrix RTC calls will not work.
 See [`examples/reverse-proxies/nginx/matrix.conf`](../examples/reverse-proxies/nginx/matrix.conf) for an nginx example.
 ## Installing
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:
@@ -0,0 +1,242 @@
 <!--
 SPDX-FileCopyrightText: 2026 MDAD project contributors
 SPDX-FileCopyrightText: 2026 Jason Volk
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 # Configuring Tuwunel (optional)
 The playbook can install and configure the [Tuwunel](https://matrix-construct.github.io/tuwunel/) Matrix homeserver for you.
 Tuwunel is a featureful homeserver written entirely in Rust, intended as a scalable, low-cost, enterprise-ready alternative to Synapse that fully implements the [Matrix specification](https://spec.matrix.org/latest/) for all but the most niche uses. It is the official successor to [conduwuit](configuring-playbook-conduwuit.md), is now sponsored by the government of Switzerland 🇨🇭 (where it is currently deployed for citizens), and is used by a number of organisations with a vested interest in its continued development. See the project's [documentation](https://matrix-construct.github.io/tuwunel/) for further background.
 By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
 > [!WARNING]
 > - **You can't switch an existing Matrix server's implementation** (e.g. Synapse → Tuwunel). Proceed below only if you're OK with starting over, or you're dealing with a server on a new domain name which hasn't participated in the Matrix federation yet. The one exception is migrating from conduwuit; see [Migrating from conduwuit](#migrating-from-conduwuit).
 > - **Homeserver implementations other than Synapse may not be fully functional** with every part of this playbook. Make yourself familiar with the trade-offs before proceeding.
 ## Adjusting the playbook configuration
 To use Tuwunel, set the following on `inventory/host_vars/matrix.example.com/vars.yml`:
 ```yaml
 matrix_homeserver_implementation: tuwunel
 # Open the registration endpoint long enough to create your first user.
 # After signing up, set this back to false.
 matrix_tuwunel_config_allow_registration: true
 # A registration token to protect the endpoint from abuse.
 # Generate one with `pwgen -s 64 1` or similar.
 matrix_tuwunel_config_registration_token: ''
 ```
 The first user account that registers becomes a server admin and is automatically invited to the admin room. See [Creating the first user account](#creating-the-first-user-account) below for the bootstrap procedure.
 ## Wiring done for you
 When `matrix_homeserver_implementation: tuwunel` is set, the playbook automatically integrates Tuwunel with the rest of your stack:
 - **Federation.** Toggled by `matrix_homeserver_federation_enabled`. The federation virtual host (port 8448 in the default setup) is wired up via Traefik labels.
 - **Well-known.** `matrix_tuwunel_config_well_known_client` is set to your public homeserver URL whenever SSL is enabled. Matrix clients use this for delegated-domain server discovery; identity-provider entries below can also omit their `callback_url`, since Tuwunel derives `<well-known>/_matrix/client/unstable/login/sso/callback/<client_id>` automatically.
 - **Element Call / MatrixRTC.** When the [LiveKit JWT service](configuring-playbook-matrix-rtc.md) is enabled, Tuwunel publishes its public URL through `.well-known/matrix/client` per [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143).
 - **Legacy calls (TURN).** When [Coturn](configuring-playbook-turn.md) is enabled, its URIs and shared secret (or username/password, depending on `coturn_authentication_method`) are wired automatically.
 ## Extending the configuration
 Tuwunel exposes a large configuration surface. The role surfaces commonly used options as Ansible variables under `matrix_tuwunel_config_*`. See [`roles/custom/matrix-tuwunel/defaults/main.yml`](../roles/custom/matrix-tuwunel/defaults/main.yml) for the complete list, and [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) for the rendered configuration.
 For options that aren't surfaced as a dedicated variable, [environment variables](https://matrix-construct.github.io/tuwunel/configuration.html#environment-variables) are the recommended override mechanism. They take priority over the rendered TOML, are scoped to the running container, and require no template patching:
 ```yaml
 matrix_tuwunel_environment_variables_extension: |
  TUWUNEL_REQUEST_TIMEOUT=60
  TUWUNEL_DNS_CACHE_SIZE=131072
 ```
 Keys nested under a TOML section use `__` (double underscore) to descend, e.g. `TUWUNEL_WELL_KNOWN__SERVER`. User-named sections become path segments too: `TUWUNEL_STORAGE_PROVIDER__ARCHIVE__S3__URL` overrides the `url` field of the `archive` storage provider in the example below.
 If you need wholesale control of the configuration file, copy [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) into your inventory and point `matrix_tuwunel_template_tuwunel_config` at your copy.
 The container image published as `:latest` is built with `io_uring`, `jemalloc`, LDAP, blurhashing, URL preview, sentry telemetry, and zstd compression all enabled, so most opt-in features are simply a configuration toggle away.
 ### Identity providers (OAuth2 / OIDC)
 Configure one or more `[[global.identity_provider]]` entries via a list. Each entry maps directly to Tuwunel's [identity-provider fields](https://matrix-construct.github.io/tuwunel/authentication/providers.html); only the fields you set are emitted. GitHub, GitLab, and Google have built-in `issuer_url` defaults so a `client_id` plus `client_secret` is enough; for any other `brand` (Apple, Facebook, Keycloak, MAS, Twitter, etc.) you must supply `issuer_url` explicitly:
 ```yaml
 matrix_tuwunel_config_identity_providers:
  - brand: keycloak
    client_id: matrix
    client_secret: '<provider secret>'
    issuer_url: https://sso.example.com/realms/matrix
    callback_url: https://matrix.example.com/_matrix/client/unstable/login/sso/callback/matrix
    trusted: true
  - brand: github
    client_id: '<github oauth app id>'
    client_secret: '<github oauth app secret>'
 ```
 Self-hosted providers must supply both `client_id` and `issuer_url`. Set `trusted: true` only on providers you operate yourself; trusting a public provider (GitHub, Google, etc.) is an account-takeover risk.
 ### LDAP
 Tuwunel can authenticate `m.login.password` requests against an LDAP directory and, in search-then-bind mode, keep admin status in sync with directory membership. The shipped image already includes the `ldap` build feature.
 ```yaml
 matrix_tuwunel_config_ldap_enabled: true
 matrix_tuwunel_config_ldap_uri: ldaps://ldap.example.com:636
 matrix_tuwunel_config_ldap_base_dn: ou=users,dc=example,dc=org
 matrix_tuwunel_config_ldap_bind_dn: cn=ldap-reader,dc=example,dc=org
 matrix_tuwunel_config_ldap_bind_password_file: /etc/tuwunel/ldap.pw
 matrix_tuwunel_config_ldap_filter: '(&(objectClass=person)(memberOf=cn=matrix,ou=groups,dc=example,dc=org))'
 ```
 > [!NOTE]
 > `bind_password_file` is read **inside the container**. The role bind-mounts `/matrix/tuwunel/config` to `/etc/tuwunel` (read-only) and `/matrix/tuwunel/data` to `/var/lib/tuwunel`. To make the file available at the path above, drop it on the host at `/matrix/tuwunel/config/ldap.pw` (owned by `matrix:matrix`) before running the playbook; the role does not template secret files for you.
 For direct-bind, anonymous-search, and admin-sync details, see [LDAP authentication](https://matrix-construct.github.io/tuwunel/authentication/ldap.html).
 ### JWT login
 Tuwunel can accept signed JSON Web Tokens both as a login flow and as a User-Interactive Authentication step:
 ```yaml
 matrix_tuwunel_config_jwt_enabled: true
 matrix_tuwunel_config_jwt_key: '<shared secret>'
 matrix_tuwunel_config_jwt_format: HMAC          # one of HMAC, B64HMAC, ECDSA, EDDSA
 matrix_tuwunel_config_jwt_algorithm: HS256
 matrix_tuwunel_config_jwt_audience: ['matrix']
 matrix_tuwunel_config_jwt_issuer: ['https://issuer.example.com']
 ```
 The defaults match Synapse's `experimental_features.jwt_config` semantics, so a key + algorithm port should authenticate the same set of tokens. See [Enterprise JWT](https://matrix-construct.github.io/tuwunel/authentication/jwt.html) for the full reference, including the asymmetric (ECDSA / EdDSA) formats and the operator-controlled UIAA override flow.
 ### Media storage providers
 Each entry becomes a `[global.storage_provider.<id>.<kind>]` block. `kind` is `local` or `s3`; the remaining keys map directly to the fields documented in [Storage providers](https://matrix-construct.github.io/tuwunel/media/storage.html):
 ```yaml
 matrix_tuwunel_config_storage_providers:
  - id: primary
    kind: local
    base_path: /var/lib/tuwunel/media
  - id: archive
    kind: s3
    url: s3://my-bucket/media
    region: us-east-1
    key: AKIA...
    secret: '<aws secret>'
    multipart_threshold: 100 MiB
 ```
 The S3 backend ships with native multipart upload, so no goofys/rclone sidecar is required. MinIO, Cloudflare R2, and DigitalOcean Spaces all work; set `endpoint` and `use_vhost_request: false` as appropriate.
 > [!NOTE]
 > Local provider paths must live under `/var/lib/tuwunel` (the container's data mount, persisted on the host at `/matrix/tuwunel/data`), or you must mount the target directory into the container yourself via `matrix_tuwunel_container_extra_arguments`. The container otherwise runs read-only.
 ### RocksDB and cache tuning
 Tuwunel embeds RocksDB. The defaults (`rocksdb_compression_algo: zstd`) suit most deployments. For high-throughput servers you may want to enable direct I/O, raise parallelism, and configure a backup path:
 ```yaml
 matrix_tuwunel_config_rocksdb_direct_io: true
 matrix_tuwunel_config_rocksdb_parallelism_threads: 8
 matrix_tuwunel_config_database_backup_path: /var/lib/tuwunel/backups
 ```
 `matrix_tuwunel_config_cache_capacity_modifier` is left empty by default, so Tuwunel picks a value (`1.0` since v1.7.0, with rebalanced per-cache sizes that already raise memory use). Set it to `2.0` only on small hosts with four or fewer cores; on larger machines the default is recommended.
 If you run on ZFS, the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html#zfs) lists the dataset properties (`recordsize`, `primarycache`, `compression`, `atime`, `logbias`) and config flags (`rocksdb_direct_io`, `rocksdb_allow_fallocate`) you need to adjust to avoid severe write amplification.
 To enable Sentry crash reporting, set `matrix_tuwunel_config_sentry_enabled: true`.
 ### Federation gating
 Tuwunel accepts regular-expression patterns at every level of remote-server filtering:
 ```yaml
 matrix_tuwunel_config_forbidden_remote_server_names:
  - 'bad\.example\.com$'
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names:
  - 'spam\.example\.com$'
 matrix_tuwunel_config_prevent_media_downloads_from:
  - 'heavy\.example\.com$'
 ```
 Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
 ```yaml
 matrix_tuwunel_config_enable_policy_servers: true
 matrix_tuwunel_config_policy_server_request_timeout: 5
 ```
 When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.
 ### Default room version
 The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) ("Hydra"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility.
 ## Creating the first user account
 Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:
 ```sh
 # Adjust the duration if necessary or remove the --since argument.
 journalctl -u matrix-tuwunel.service --since="10 minutes ago"
 ```
 Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit.
 ## Configuring bridges and appservices
 The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:
    !admin appservices register
    ```
    id: signal
    url: http://matrix-mautrix-signal:29328
    as_token: <token>
    hs_token: <token>
    sender_localpart: _bot_signalbot
    rate_limited: false
    namespaces:
      users:
        - exclusive: true
          regex: '^@signal_.+:example\.org$'
        - exclusive: true
          regex: '^@signalbot:example\.org$'
      aliases:
        - exclusive: true
          regex: '^#signal_.+:example\.org$'
    ```
 Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands.
 ## Migrating from conduwuit
 Tuwunel is a "binary swap" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import.
 1. Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides.
 2. Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`).
 3. Run `just run-tags tuwunel-migrate-from-conduwuit`.
 The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually.
 > [!CAUTION]
 > Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel).
 ## Troubleshooting
 As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):
 ```sh
 journalctl -fu matrix-tuwunel
 ```
 Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`.
 For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker.
@@ -53,6 +53,8 @@ For a more custom setup, see the [Other configuration options](#other-configurat
  - [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation
  - [Configuring Tuwunel](configuring-playbook-tuwunel.md), if you've switched to the [Tuwunel](https://matrix-construct.github.io/tuwunel/) homeserver implementation
  - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation
 - Server components:
@@ -104,8 +106,6 @@ Extend and modify how users are authenticated on your homeserver.
 - [Setting up Ketesa](configuring-playbook-ketesa.md)
 - [Setting up matrix-registration](configuring-playbook-matrix-registration.md)
 - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (advanced)
 - [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (advanced)
@@ -182,6 +182,8 @@ Bridges can be used to connect your Matrix installation with third-party communi
 - [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md)
 - [Setting up a Matrix <-> Meshtastic bridge](configuring-playbook-bridge-meshtastic-relay.md)
 - [Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)
 ### Bots
@@ -277,6 +279,8 @@ Various services that don't fit any other categories.
 - [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) (unmaintained; the bridge's author suggests taking a look at [baibot](https://github.com/etkecc/baibot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bot-baibot.md))
 - [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (removed; this component has been unmaintained)
 - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))
 - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-instagram](configuring-playbook-bridge-mautrix-meta-instagram.md))
@@ -28,6 +28,7 @@ We try to stick to official images (provided by their respective projects) as mu
 | [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network |
 | [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements |
 | [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. |
 | [Tuwunel](configuring-playbook-tuwunel.md) | [matrix-construct/tuwunel](https://ghcr.io/matrix-construct/tuwunel) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit. |
 | [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. |
 ## Clients
@@ -67,7 +68,6 @@ Extend and modify how users are authenticated on your homeserver.
 | [matrix-synapse-shared-secret-auth](configuring-playbook-shared-secret-auth.md) | (N/A) | ❌ | Password provider module |
 | [matrix-synapse-ldap3](configuring-playbook-ldap-auth.md) (advanced) | (N/A) | ❌ | LDAP Auth password provider module |
 | [matrix-ldap-registration-proxy](configuring-playbook-matrix-ldap-registration-proxy.md) | [activism.international/matrix_ldap_registration_proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy/container_registry) | ❌ | Proxy that handles Matrix registration requests and forwards them to LDAP |
 | [matrix-registration](configuring-playbook-matrix-registration.md) | [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) | ❌ | Simple python application to have a token based Matrix registration |
 | [Matrix User Verification Service](configuring-playbook-user-verification-service.md) | [matrixdotorg/matrix-user-verification-service](https://hub.docker.com/r/atrixdotorg/matrix-user-verification-service) | ❌ | Service to verify details of a user based on an Open ID token |
 | [synapse-simple-antispam](configuring-playbook-synapse-simple-antispam.md) (advanced) | (N/A) | ❌ | Spam checker module |
@@ -178,6 +178,7 @@ The list of the deprecated or unmaintained services is available [here](configur
 | [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) | [matrixdotorg/matrix-appservice-slack](https://hub.docker.com/r/matrixdotorg/matrix-appservice-slack) | ❌ | Bridge to [Slack](https://slack.com/) |
 | [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md) | [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) | ❌ | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) |
 | [matrix-chatgpt-bot](configuring-playbook-bot-chatgpt.md) | [matrixgpt/matrix-chatgpt-bot](https://ghcr.io/matrixgpt/matrix-chatgpt-bot) | ❌ | Accessing ChatGPT via your favourite Matrix client |
 | [matrix-registration](configuring-playbook-matrix-registration.md) | [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) | ❌ | Simple python application to have a token based Matrix registration |
 | [mautrix-facebook](configuring-playbook-bridge-mautrix-facebook.md) | [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) | ❌ | Bridge to [Facebook](https://facebook.com/) |
 | [mautrix-instagram](configuring-playbook-bridge-mautrix-instagram.md) | [mautrix/instagram](https://mau.dev/mautrix/instagram/container_registry) | ❌ | Bridge to [Instagram](https://instagram.com/) |
 | [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) | [mx-puppet/discord/mx-puppet-discord](https://gitlab.com/mx-puppet/discord/mx-puppet-discord/container_registry) | ❌ | Bridge to [Discord](https://discordapp.com/) |
@@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra
 **Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
+- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md), [Tuwunel](./configuring-playbook-tuwunel.md) or [Dendrite](./configuring-playbook-dendrite.md))
 - if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached
 Also, all instructions below are from an older version of the playbook and may not work anymore.
@@ -27,7 +27,7 @@ To update your playbook directory and all upstream Ansible roles (defined in the
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)
-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
 For details about `just` commands, take a look at: [Running `just` commands](just.md).
@@ -1,10 +1,10 @@
 <!--
 SPDX-FileCopyrightText: 2018 - 2023 Slavi Pantaleev
 SPDX-FileCopyrightText: 2018 Aaron Raimist
 SPDX-FileCopyrightText: 2018-2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2024 Felix Stupp
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2024 Nikita Chernyi
-SPDX-FileCopyrightText: 2024 Suguru Hirahara
+SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
@@ -36,13 +36,25 @@ If it looks good to you, go to the `matrix-docker-ansible-deploy` directory, upd
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)
-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
 **Note**: for details about `just` commands, take a look at: [Running `just` commands](just.md).
 ### Acknowledge breaking changes if any
 The playbook uses a migration validation system that ensures you are aware of breaking changes before they'll affect your deployment. If there is one, you are required to acknowledge each breaking change.
 Whenever a breaking change is introduced, the playbook will:
 - bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
 - fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
 After reviewing and adapting your setup, update the variable to the new version.
 ### Re-run the playbook setup
-After updating the Ansible roles, then re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:
+After updating the Ansible roles and the variable for the validation system when necessary, re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=install-all,start
@@ -119,7 +119,7 @@ To update your playbook directory and all upstream Ansible roles, run:
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)
-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
 ### Run installation command
@@ -97,10 +97,6 @@ This `register-user` script actually invokes the `mas-cli manage register-user`
 To manage users and your homeserver more easily (via a web interface), you can install [Ketesa](configuring-playbook-ketesa.md) — a fully-featured admin UI covering users, rooms, media, sessions, and MAS management.
 ## Letting certain users register on your private server
 If you'd rather **keep your server private** (public registration closed, as is the default), and **let certain people create accounts by themselves** (instead of creating user accounts manually like this), consider installing and making use of [matrix-registration](configuring-playbook-matrix-registration.md).
 ## Enabling public user registration
 To **open up user registration publicly** (usually **not recommended**), add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
@@ -31,7 +31,6 @@ Possibly outdated list of roles where self-building the Docker image is currentl
 - `hydrogen`
 - `cinny`
 - `sable`
 - `matrix-registration`
 - `coturn`
 - `matrix-corporal`
 - `exim-relay`
@@ -19,7 +19,7 @@ services:
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      # - ./site:/var/www
-    # Other configurations …
+      # Other configurations …
 networks:
  # add this as well
@@ -22,6 +22,27 @@ server {
    # if you use e.g. Etherpad on etherpad.example.com, add etherpad.example.com to the server_name list
    server_name example.com matrix.example.com element.example.com;
    # Required for Matrix RTC (WebSocket proxying to LiveKit Server).
    # See: ../../../docs/configuring-playbook-matrix-rtc.md#fronting-the-integrated-reverse-proxy-with-another-reverse-proxy
    location /livekit-server/ {
        proxy_pass http://localhost:81/livekit-server/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        # Long timeouts for persistent WebSocket connections
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
        proxy_buffering off;
        access_log /var/log/nginx/matrix.access.log;
        error_log /var/log/nginx/matrix.error.log;
    }
    location / {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise, nginx will canonicalise the URI and cause signature verification
@@ -2,7 +2,7 @@
 # This variable acknowledges that you've reviewed breaking changes up to this version.
 # The playbook will fail if this is outdated, guiding you through what changed.
 # See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
-matrix_playbook_migration_validated_version: v2026.04.03.0
+matrix_playbook_migration_validated_version: v2026.05.18.0
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
@@ -429,6 +429,13 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'bridges', 'hookshot', 'bridge-hookshot'],
    }] if matrix_hookshot_enabled else [])
    +
    ([{
      'name': 'matrix-meshtastic-relay.service',
      'priority': 2000,
      'restart_necessary': (matrix_meshtastic_relay_restart_necessary | bool),
      'groups': ['matrix', 'bridges', 'meshtastic-relay'],
    }] if matrix_meshtastic_relay_enabled else [])
    +
    ([{
      'name': 'matrix-mautrix-bluesky.service',
      'priority': 2000,
@@ -624,6 +631,7 @@ devture_systemd_service_manager_services_list_auto: |
      'restart_necessary': (
        (matrix_conduit_restart_necessary | bool) if matrix_homeserver_implementation == 'conduit'
        else (matrix_continuwuity_restart_necessary | bool) if matrix_homeserver_implementation == 'continuwuity'
        else (matrix_tuwunel_restart_necessary | bool) if matrix_homeserver_implementation == 'tuwunel'
        else (matrix_dendrite_restart_necessary | bool) if matrix_homeserver_implementation == 'dendrite'
        else true
      ),
@@ -826,13 +834,6 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'livekit-server'],
    }] if livekit_server_enabled else [])
    +
    ([{
      'name': 'matrix-registration.service',
      'priority': 4000,
      'restart_necessary': (matrix_registration_restart_necessary | bool),
      'groups': ['matrix', 'registration', 'matrix-registration'],
    }] if matrix_registration_enabled else [])
    +
    ([{
      'name': 'matrix-sygnal.service',
      'priority': 800,
@@ -1001,6 +1002,7 @@ matrix_homeserver_container_client_api_endpoint: |-
      'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
      'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
      'tuwunel': ('matrix-tuwunel:' + matrix_tuwunel_config_port_number | default('8008') | string),
    }[matrix_homeserver_implementation]
  }}
@@ -1011,6 +1013,7 @@ matrix_homeserver_container_federation_api_endpoint: |-
      'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
      'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
      'tuwunel': ('matrix-tuwunel:' + matrix_tuwunel_config_port_number | default('8008') | string),
    }[matrix_homeserver_implementation]
  }}
@@ -1117,7 +1120,7 @@ matrix_authentication_service_config_email_port: "{{ 8025 if exim_relay_enabled
 matrix_authentication_service_config_email_mode: "{{ 'plain' if exim_relay_enabled else 'starttls' }}"
 matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_address }}"
-matrix_authentication_service_admin_api_enabled: "{{ matrix_element_admin_enabled }}"
+matrix_authentication_service_admin_api_enabled: "{{ matrix_element_admin_enabled or matrix_ketesa_enabled }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
@@ -1936,9 +1939,6 @@ matrix_mautrix_meta_instagram_database_password: "{{ ((matrix_homeserver_generic
 # We don't enable bridges by default.
 matrix_mautrix_telegram_enabled: false
 matrix_mautrix_telegram_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_telegram_path_prefix: "/{{ (matrix_homeserver_generic_secret_key + ':telegram') | hash('sha512') | to_uuid }}"
 matrix_mautrix_telegram_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
@@ -1946,16 +1946,9 @@ matrix_mautrix_telegram_systemd_required_services_list_auto: |
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_telegram_database_hostname == postgres_connection_hostname) else [])
  }}
 matrix_mautrix_telegram_lottieconverter_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_telegram_lottieconverter_container_image_registry_prefix_upstream_default }}"
 matrix_mautrix_telegram_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_telegram_container_image_registry_prefix_upstream_default }}"
 # Images are multi-arch (amd64 and arm64, but not arm32).
 matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 matrix_mautrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 matrix_mautrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}"
 matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_mautrix_telegram_container_network: "{{ matrix_addons_container_network }}"
@@ -1986,17 +1979,15 @@ matrix_mautrix_telegram_homeserver_token: "{{ (matrix_homeserver_generic_secret_
 matrix_mautrix_telegram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
-matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: |-
+matrix_mautrix_telegram_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.telegram.prov') | hash('sha512') | to_uuid }}"
 matrix_mautrix_telegram_double_puppet_secrets_auto: |-
  {{
-    ({
+    {
      matrix_mautrix_telegram_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
-    })
+    }
    if matrix_appservice_double_puppet_enabled
-    else (
+    else {}
      {matrix_mautrix_telegram_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
      else {}
    )
  }}
 matrix_mautrix_telegram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@@ -2180,7 +2171,6 @@ matrix_mautrix_wsproxy_systemd_required_services_list_default: |
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_wsproxy_syncproxy_database_hostname == postgres_connection_hostname) else [])
  }}
 matrix_mautrix_wsproxy_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_wsproxy_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_wsproxy_hostname: "wsproxy.{{ matrix_mautrix_wsproxy_homeserver_domain }}"
@@ -2493,7 +2483,6 @@ matrix_hookshot_container_labels_metrics_middleware_basic_auth_enabled: "{{ matr
 matrix_hookshot_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
 matrix_hookshot_public_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
 ######################################################################
 #
@@ -2501,6 +2490,39 @@ matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-meshtastic-relay
 #
 ######################################################################
 # We don't enable bridges by default.
 matrix_meshtastic_relay_enabled: false
 matrix_meshtastic_relay_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_meshtastic_relay_container_image_registry_prefix_upstream_default }}"
 matrix_meshtastic_relay_matrix_host: "{{ matrix_domain }}"
 matrix_meshtastic_relay_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_meshtastic_relay_container_network: "{{ matrix_addons_container_network }}"
 matrix_meshtastic_relay_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
  }}
 matrix_meshtastic_relay_container_additional_networks_auto: |
  {{
    ([] if matrix_addons_homeserver_container_network == '' or matrix_addons_homeserver_container_network == matrix_meshtastic_relay_container_network else [matrix_addons_homeserver_container_network])
  }}
 ######################################################################
 #
 # /matrix-bridge-meshtastic-relay
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-mx-puppet-steam
@@ -3508,8 +3530,6 @@ matrix_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}"
 matrix_rageshake_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_rageshake_container_image_registry_prefix_upstream_default }}"
 matrix_rageshake_container_network: matrix-rageshake
 matrix_rageshake_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
 matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9110') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
@@ -3681,7 +3701,7 @@ ddclient_uid: "{{ matrix_user_uid }}"
 ddclient_gid: "{{ matrix_user_gid }}"
 ddclient_container_image_registry_prefix: "{{ 'localhost/' if ddclient_container_image_self_build else ddclient_container_image_registry_prefix_upstream }}"
-ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_docker_image_registry_prefix_upstream_default }}"
+ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_container_image_registry_prefix_upstream_default }}"
 ddclient_web: "https://cloudflare.com/cdn-cgi/trace"
@@ -4093,12 +4113,6 @@ postgres_managed_databases_auto: |
      'password': matrix_bot_buscarron_database_password,
    }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_registration_database_name,
      'username': matrix_registration_database_username,
      'password': matrix_registration_database_password,
    }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_appservice_discord_database_name,
      'username': matrix_appservice_discord_database_username,
@@ -4432,12 +4446,6 @@ matrix_client_element_container_labels_traefik_compression_middleware_name: "{{
 matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}"
 matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}"
 # Use Scalar by default
 matrix_client_element_integrations_ui_url: "https://scalar.vector.im/"
 matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_client_element_integrations_widgets_urls: "{{ ['https://scalar.vector.im/api'] }}"
 matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_client_element_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}"
@@ -4667,12 +4675,6 @@ matrix_client_schildichat_container_labels_traefik_tls_certResolver: "{{ traefik
 matrix_client_schildichat_default_hs_url: "{{ matrix_homeserver_url }}"
 matrix_client_schildichat_default_is_url: "{{ matrix_identity_server_url }}"
 # Use Scalar by default
 matrix_client_schildichat_integrations_ui_url: "https://scalar.vector.im/"
 matrix_client_schildichat_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_client_schildichat_integrations_widgets_urls: "{{ ['https://scalar.vector.im/api'] }}"
 matrix_client_schildichat_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_client_schildichat_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 matrix_client_schildichat_registration_enabled: "{{ matrix_synapse_enable_registration }}"
@@ -4796,7 +4798,6 @@ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_entryp
 matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
 matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
 matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
 matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
@@ -4840,7 +4841,6 @@ matrix_synapse_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_pr
 matrix_synapse_email_enabled: "{{ exim_relay_enabled }}"
 matrix_synapse_email_smtp_host: "{{ exim_relay_identifier }}"
 matrix_synapse_email_smtp_port: 8025
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>"
 matrix_synapse_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
@@ -5132,7 +5132,7 @@ matrix_ketesa_config_asManagedUsers_auto: |
    +
    ([
      '^@'+(matrix_mautrix_telegram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
-      '^@'+(matrix_mautrix_telegram_username_template | regex_escape | replace('{userid}', '.+'))+':'+(matrix_domain | regex_escape)+'$',
+      '^@telegram_(channel-)?[0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_telegram_enabled else [])
    +
    ([
@@ -5194,7 +5194,6 @@ matrix_synapse_usage_exporter_container_network: "{{ matrix_monitoring_container
 matrix_synapse_usage_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
 matrix_synapse_usage_exporter_container_labels_traefik_enabled: "{{ matrix_synapse_usage_exporter_proxying_enabled }}"
 matrix_synapse_usage_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_synapse_usage_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_synapse_usage_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
@@ -5530,6 +5529,7 @@ grafana_default_home_dashboard_path: |-
      'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
      'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
      'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
      'tuwunel': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
    }[matrix_homeserver_implementation]
  }}
@@ -5539,75 +5539,6 @@ grafana_default_home_dashboard_path: |-
 #
 ######################################################################
 ######################################################################
 #
 # matrix-registration
 #
 ######################################################################
 matrix_registration_enabled: false
 matrix_registration_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_registration_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_registration_path_prefix: /matrix-registration
 matrix_registration_systemd_required_services_list_auto: |
  {{
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname) else [])
  }}
 matrix_registration_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_registration_container_image_registry_prefix_upstream_default }}"
 matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_registration_container_network: "{{ matrix_addons_container_network }}"
 matrix_registration_container_additional_networks_auto: |-
  {{
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname and matrix_registration_container_network != postgres_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_registration_container_labels_traefik_enabled) else [])
    ) | unique
  }}
 matrix_registration_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_registration_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_registration_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_registration_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_registration_riot_instance: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://element.io/app/' }}"
 matrix_registration_shared_secret: |-
  {{
    {
      'synapse': matrix_synapse_registration_shared_secret | default (''),
      'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
      'conduit': '',
      'continuwuity': '',
    }[matrix_homeserver_implementation]
  }}
 matrix_registration_server_location: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_registration_api_validate_certs: "{{ matrix_playbook_ssl_enabled }}"
 # Postgres is the default, except if not using internal Postgres server
 matrix_registration_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_registration_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_registration_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mx.registr.db') | hash('sha512') | to_uuid }}"
 ######################################################################
 #
 # /matrix-registration
 #
 ######################################################################
 ######################################################################
 #
 # matrix-dendrite
@@ -5760,6 +5691,12 @@ matrix_continuwuity_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_continuwuity_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
 matrix_continuwuity_config_well_known_client: "{{ matrix_homeserver_url if matrix_playbook_ssl_enabled else '' }}"
 matrix_continuwuity_config_smtp_enabled: "{{ exim_relay_enabled }}"
 matrix_continuwuity_config_smtp_connection_uri: "{{ ('smtp://' ~ exim_relay_identifier ~ ':8025') if exim_relay_enabled else '' }}"
 matrix_continuwuity_config_smtp_sender: "{{ exim_relay_sender_address if exim_relay_enabled else '' }}"
 matrix_continuwuity_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_continuwuity_container_image_registry_prefix_upstream_default }}"
 matrix_continuwuity_container_network: "{{ matrix_homeserver_container_network }}"
@@ -5768,6 +5705,8 @@ matrix_continuwuity_container_additional_networks_auto: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_continuwuity_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_continuwuity_config_smtp_enabled and matrix_continuwuity_config_smtp_connection_uri == ('smtp://' ~ exim_relay_identifier ~ ':8025') and matrix_continuwuity_container_network != exim_relay_container_network) else [])
    ) | unique
  }}
@@ -5795,6 +5734,11 @@ matrix_continuwuity_config_turn_password: "{{ coturn_lt_cred_mech_password if (c
 matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 matrix_continuwuity_systemd_wanted_services_list_auto: |
  {{
    ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_continuwuity_config_smtp_enabled and matrix_continuwuity_config_smtp_connection_uri == ('smtp://' ~ exim_relay_identifier ~ ':8025')) else [])
  }}
 ######################################################################
 #
 # /matrix-continuwuity
@@ -5802,6 +5746,67 @@ matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_en
 ######################################################################
 ######################################################################
 #
 # matrix-tuwunel
 #
 ######################################################################
 matrix_tuwunel_enabled: "{{ matrix_homeserver_implementation == 'tuwunel' }}"
 matrix_tuwunel_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_tuwunel_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
 matrix_tuwunel_config_well_known_client: "{{ matrix_homeserver_url if matrix_playbook_ssl_enabled else '' }}"
 matrix_tuwunel_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_tuwunel_container_image_registry_prefix_upstream_default }}"
 matrix_tuwunel_container_network: "{{ matrix_homeserver_container_network }}"
 matrix_tuwunel_container_additional_networks_auto: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_tuwunel_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
    ) | unique
  }}
 matrix_tuwunel_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
 matrix_tuwunel_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_tuwunel_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_tuwunel_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 matrix_tuwunel_container_labels_public_client_root_redirection_enabled: "{{ matrix_tuwunel_container_labels_public_client_root_redirection_url != '' }}"
 matrix_tuwunel_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
 matrix_tuwunel_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
 matrix_tuwunel_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
 matrix_tuwunel_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
 matrix_tuwunel_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_tuwunel_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 matrix_tuwunel_config_well_known_livekit_url: "{{ matrix_livekit_jwt_service_public_url if matrix_livekit_jwt_service_enabled else '' }}"
 matrix_tuwunel_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_tuwunel_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_tuwunel_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_tuwunel_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_tuwunel_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 matrix_tuwunel_systemd_wanted_services_list_auto: |
  {{
    ([coturn_identifier ~ '.service'] if coturn_enabled else [])
  }}
 ######################################################################
 #
 # /matrix-tuwunel
 #
 ######################################################################
 ######################################################################
 #
 # matrix-user-creator
@@ -6310,7 +6315,6 @@ matrix_livekit_jwt_service_enabled: "{{ matrix_rtc_enabled and livekit_server_en
 matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_livekit_jwt_service_path_prefix: "/livekit-jwt-service"
 matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
@@ -163,7 +163,7 @@ msgid "Granting Users the ability to use D4A"
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:97
-msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended."
+msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recommended."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:99
@@ -162,7 +162,7 @@ msgid "Granting Users the ability to use D4A"
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:97
-msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended."
+msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recommended."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:99
@@ -1,22 +1,22 @@
 alabaster==1.0.0
 babel==2.18.0
-certifi==2026.2.25
+certifi==2026.5.20
 charset-normalizer==3.4.7
-click==8.3.2
+click==8.4.0
 docutils==0.22.4
-idna==3.11
+idna==3.15
 imagesize==2.0.0
 Jinja2==3.1.6
 linkify-it-py==2.1.0
-markdown-it-py==4.0.0
+markdown-it-py==4.2.0
 MarkupSafe==3.0.3
-mdit-py-plugins==0.5.0
+mdit-py-plugins==0.6.1
 mdurl==0.1.2
-myst-parser==5.0.0
+myst-parser==5.1.0
-packaging==26.0
+packaging==26.2
 Pygments==2.20.0
 PyYAML==6.0.3
-requests==2.33.1
+requests==2.34.2
 setuptools==82.0.1
 snowballstemmer==3.0.1
 Sphinx==9.1.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.10.0
 uc-micro-py==2.0.0
-urllib3==2.6.3
+urllib3==2.7.0
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:59+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,7 +41,7 @@ msgid "🎯 Purpose"
 msgstr ""
 #: ../../../README.md:7
-msgid "This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#supported-services) related to that."
+msgid "This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#-supported-services) related to that."
 msgstr ""
 #: ../../../README.md:9
@@ -188,6 +188,18 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-continuwuity.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[Tuwunel](https://matrix-construct.github.io/tuwunel/)"
 msgstr ""
 #: ../../../README.md:0
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit."
 msgstr ""
 #: ../../../README.md:0
 msgid "[Link](docs/configuring-playbook-tuwunel.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[Dendrite](https://github.com/element-hq/dendrite)"
 msgstr ""
@@ -200,11 +212,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-dendrite.md)"
 msgstr ""
-#: ../../../README.md:58
+#: ../../../README.md:59
 msgid "Clients"
 msgstr ""
-#: ../../../README.md:60
+#: ../../../README.md:61
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""
@@ -276,11 +288,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-client-fluffychat-web.md)"
 msgstr ""
-#: ../../../README.md:71
+#: ../../../README.md:72
 msgid "Server Components"
 msgstr ""
-#: ../../../README.md:73
+#: ../../../README.md:74
 msgid "Services that run on the server to make the various parts of your installation work."
 msgstr ""
@@ -368,11 +380,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-matrix-rtc.md)"
 msgstr ""
-#: ../../../README.md:85
+#: ../../../README.md:86
 msgid "Authentication"
 msgstr ""
-#: ../../../README.md:87
+#: ../../../README.md:88
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""
@@ -424,18 +436,6 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[matrix-registration](https://github.com/ZerataX/matrix-registration)"
 msgstr ""
 #: ../../../README.md:0
 msgid "Simple python application to have a token based Matrix registration"
 msgstr ""
 #: ../../../README.md:0
 msgid "[Link](docs/configuring-playbook-matrix-registration.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)"
 msgstr ""
@@ -617,7 +617,7 @@ msgid "[Link](docs/configuring-playbook-bridge-mautrix-googlechat.md)"
 msgstr ""
 #: ../../../README.md:0
-msgid "[mautrix-meta](https://github.com/mautrix/instagram)"
+msgid "[mautrix-meta](https://github.com/mautrix/meta)"
 msgstr ""
 #: ../../../README.md:0
@@ -748,6 +748,18 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bridge-heisenbridge.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay)"
 msgstr ""
 #: ../../../README.md:0
 msgid "Bridge to [Meshtastic](https://meshtastic.org/) mesh networks"
 msgstr ""
 #: ../../../README.md:0
 msgid "[Link](docs/configuring-playbook-bridge-meshtastic-relay.md)"
 msgstr ""
 #: ../../../README.md:0
 msgid "[mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme)"
 msgstr ""
@@ -784,11 +796,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bridge-postmoogle.md)"
 msgstr ""
-#: ../../../README.md:139
+#: ../../../README.md:140
 msgid "Bots"
 msgstr ""
-#: ../../../README.md:141
+#: ../../../README.md:142
 msgid "Bots provide various additional functionality to your installation."
 msgstr ""
@@ -888,11 +900,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bot-buscarron.md)"
 msgstr ""
-#: ../../../README.md:154
+#: ../../../README.md:155
 msgid "Administration"
 msgstr ""
-#: ../../../README.md:156
+#: ../../../README.md:157
 msgid "Services that help you in administrating and monitoring your Matrix installation."
 msgstr ""
@@ -980,11 +992,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-synapse-usage-exporter.md)"
 msgstr ""
-#: ../../../README.md:168
+#: ../../../README.md:169
 msgid "Misc"
 msgstr ""
-#: ../../../README.md:170
+#: ../../../README.md:171
 msgid "Various services that don't fit any other categories."
 msgstr ""
@@ -1108,54 +1120,54 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-element-call.md)"
 msgstr ""
-#: ../../../README.md:185
+#: ../../../README.md:186
 msgid "🆕 Changes"
 msgstr ""
-#: ../../../README.md:187
+#: ../../../README.md:188
 msgid "This playbook evolves over time, sometimes with backward-incompatible changes."
 msgstr ""
-#: ../../../README.md:189
+#: ../../../README.md:190
 msgid "When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new."
 msgstr ""
-#: ../../../README.md:191
+#: ../../../README.md:192
 msgid "🆘 Support"
 msgstr ""
-#: ../../../README.md:193
+#: ../../../README.md:194
 msgid "Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com)"
 msgstr ""
-#: ../../../README.md:195
+#: ../../../README.md:196
 msgid "IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697)"
 msgstr ""
-#: ../../../README.md:197
+#: ../../../README.md:198
 msgid "GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)"
 msgstr ""
-#: ../../../README.md:199
+#: ../../../README.md:200
 msgid "🌐 Translation"
 msgstr ""
-#: ../../../README.md:201
+#: ../../../README.md:202
 msgid "See the [i18n/README.md](i18n/README.md) file for more information about translation."
 msgstr ""
-#: ../../../README.md:203
+#: ../../../README.md:204
 msgid "Translations are still work in progress."
 msgstr ""
-#: ../../../README.md:205
+#: ../../../README.md:206
 msgid "🤝 Related"
 msgstr ""
-#: ../../../README.md:207
+#: ../../../README.md:208
 msgid "You may also be interested in [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) - another Ansible playbook for self-hosting non-Matrix services (see its [List of supported services](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md))."
 msgstr ""
-#: ../../../README.md:209
+#: ../../../README.md:210
 msgid "mash-playbook also makes use of [Traefik](./docs/configuring-playbook-traefik.md) as its reverse-proxy, so with minor [interoperability adjustments](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md), you can make matrix-docker-ansible-deploy and mash-playbook co-exist and host Matrix and non-Matrix services on the same server."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -48,8 +48,8 @@ msgstr ""
 msgid "If your distro ships with an Ansible version older than this, you may run into issues. Consider [Upgrading Ansible](#upgrading-ansible) or [using Ansible via Docker](#using-ansible-via-docker)."
 msgstr ""
-#: ../../../docs/ansible.md:27
+#: ../../../docs/ansible.md:28
-msgid "[!WARNING] One reason for the version requirement being as such is that the playbook by default installs Docker for you using [this Docker role](https://github.com/geerlingguy/ansible-role-docker) which [has a hard requirement on Ansible v2.15.1](https://github.com/geerlingguy/ansible-role-docker/commit/7f44a1d9ad8132819ea9852918bca5dab8757cd0). If you install Docker yourself another way, you can tell the playbook to skip running this role (by adding `matrix_playbook_docker_installation_enabled: false` to your `vars.yml` configuration). It may then be possible to get the playbook running on an older version of Ansible. Still, this is a complication and your mileage may vary. We recommend [upgrading Ansible](#upgrading-ansible) instead of going into uncharted territory."
+msgid "One reason for the version requirement being as such is that the playbook by default installs Docker for you using [this Docker role](https://github.com/geerlingguy/ansible-role-docker) which [has a hard requirement on Ansible v2.15.1](https://github.com/geerlingguy/ansible-role-docker/commit/7f44a1d9ad8132819ea9852918bca5dab8757cd0). If you install Docker yourself another way, you can tell the playbook to skip running this role (by adding `matrix_playbook_docker_installation_enabled: false` to your `vars.yml` configuration). It may then be possible to get the playbook running on an older version of Ansible. Still, this is a complication and your mileage may vary. We recommend [upgrading Ansible](#upgrading-ansible) instead of going into uncharted territory."
 msgstr ""
 #: ../../../docs/ansible.md:30
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -96,8 +96,8 @@ msgstr ""
 msgid "traffic destined for the IPv6 address of the server will be forwarded to the containers that handle (and publish) that specific port"
 msgstr ""
-#: ../../../docs/configuring-ipv6.md:59
+#: ../../../docs/configuring-ipv6.md:60
-msgid "[!WARNING] Without enabling this and assuming you have IPv6 `AAAA` DNS records pointing to the server (see [Configuring DNS records for IPv6](#configuring-dns-records-for-ipv6)), IPv6 traffic will still be handled, but NAT64 will be used instead of NAT66. As such, containers will only have an IPv4 address and all IPv6 traffic that reaches them will seem to originate from a local IP. Containers also won't be able to make outgoing (even cross-container) IPv6 requests."
+msgid "Without enabling this and assuming you have IPv6 `AAAA` DNS records pointing to the server (see [Configuring DNS records for IPv6](#configuring-dns-records-for-ipv6)), IPv6 traffic will still be handled, but NAT64 will be used instead of NAT66. As such, containers will only have an IPv4 address and all IPv6 traffic that reaches them will seem to originate from a local IP. Containers also won't be able to make outgoing (even cross-container) IPv6 requests."
 msgstr ""
 #: ../../../docs/configuring-ipv6.md:63
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -64,8 +64,8 @@ msgstr ""
 msgid "The bot requires an access token to be able to connect to your homeserver. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-alertmanager-receiver.md:37
+#: ../../../docs/configuring-playbook-alertmanager-receiver.md:38
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-alertmanager-receiver.md:40
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,167 +16,215 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:8
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:9
 msgid "Setting up Draupnir for All/D4A (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:10
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:11
 msgid "The playbook can install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation tool for you in appservice mode."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:12
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:13
 msgid "Appservice mode can be used together with the regular [Draupnir bot](configuring-playbook-bot-draupnir.md) or independently. Details about the differences between the 2 modes are described below."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:14
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:15
 msgid "Draupnir Appservice mode compared to Draupnir bot mode"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:16
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:17
-msgid "The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode except in the case of avatar customisation as described later on in this document."
+msgid "The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:18
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:19
-msgid "Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All (Even though the commands do show up in help)."
+msgid "Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:20
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:21
 msgid "Draupnir for all in the playbook is rate-limit-exempt automatically as its appservice configuration file does not specify any rate limits."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:22
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:23
-msgid "Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as D4A even on the branch with the Avatar command (To be Upstreamed to Mainline Draupnir) that command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this is a quick operation where you login to Draupnir with a normal client and set Avatar and Display name normally."
+msgid "Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as the avatar command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this can be done while logged in to the Draupnir account with a normal client and set Avatar and Display name normally."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:24
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:25
-msgid "Draupnir for all does not support external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account."
+msgid "Draupnir for all only has limited support for external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:26
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:27
 msgid "Prerequisites"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:28
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:29
-msgid "Create a main management room"
+msgid "Prerequisites for Zero Touch Deployment (recommended)"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:30
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:31
-msgid "The playbook does not create a management room for your Main Draupnir. You **need to create the room manually** before setting up the bot."
+msgid "As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir Appservice Mode (Draupnir for all) requires you to supply the following:"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:32
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:33
-msgid "Note that the room must be unencrypted."
+msgid "MXID of the first person who gets invited to the admin room that the bot creates for you."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:34
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:35
-msgid "The management room has to be given an alias, and your bot has to be invited to the room."
+msgid "That is all. The appservice manages everything on its own after you provide it with an MXID to invite."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:36
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:37
-msgid "This management room is used to control who has access to your D4A deployment. The room stores this data inside of the control room state so your bot must have sufficient powerlevel to send custom state events. This is default 50 or moderator as Element clients call this powerlevel."
+msgid "If proceeding with Zero Touch Deployment, skip ahead to [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:38
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:39
-msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+msgid "Create an admin room (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:41
-msgid "Adjusting the playbook configuration"
+msgid "The playbook does not create an admin room for your Draupnir, but the appservice itself can do this for you. Alternatively, you **can create the room manually** before setting up the bot."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:43
-msgid "Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE`."
+msgid "Note that the room must be unencrypted."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:51
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:45
 msgid "The admin room has to be given an alias, and your bot has to be invited to the room."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:47
 msgid "This admin room is used to control who has access to your D4A deployment. The room stores this data in the control room state, so your bot must have sufficient power level to send custom state events. This is `50` by default (moderator, as Element clients call this power level)."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:50
 msgid "Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:52
 msgid "Adjusting the playbook configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:54
 msgid "When using Zero Touch Deployment, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the admin room first."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:64
 msgid "If opting out of Zero Touch Deployment, use the following configuration block instead. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE` with the alias of the admin room you have created earlier."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:72
 msgid "Running both bot mode and appservice mode"
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:74
 msgid "When running both [bot mode](./configuring-playbook-bot-draupnir.md) and appservice mode, the playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build. This is due to the conditional restart logic not being able to reliably tell when an update happened."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:78
 msgid "Conditional restarts work correctly for all tags when running only one of these two operating modes."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:80
 msgid "Extending the configuration"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:53
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:82
 msgid "There are some additional things you may wish to configure about the component."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:55
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:84
 msgid "Take a look at:"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:57
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:86
 msgid "`roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_appservice_draupnir_for_all_configuration_extension_yaml` variable"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:59
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:88
 msgid "For example, to change Draupnir's `protectAllJoinedRooms` option to `true`, add the following configuration to your `vars.yml` file:"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:73
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:102
 msgid "You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for more configuration documentation."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:75
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:104
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:90
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:119
 msgid "**Notes**:"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:77
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:106
 msgid "The playbook ships a full copy of the example config that does transfer to provisioned Draupnirs in the production-bots.yaml.j2 file in the template directory of the role."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:79
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:108
 msgid "Config extension does not affect the appservices config as this config is not extensible in current Draupnir anyway. It instead touches the config passed to the Draupnirs that your Appservice creates. So the example above (`protectAllJoinedRooms: true`) makes all provisioned Draupnirs protect all joined rooms."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:81
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:110
 msgid "Installing"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:83
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:112
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:92
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:121
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:94
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:123
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:96
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:125
 msgid "Usage"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:98
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:127
-msgid "If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it."
+msgid "If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com`, you have successfully installed Draupnir for All and can now start using it."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:100
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:129
-msgid "The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode."
+msgid "If using Zero Touch Deployment, the flow is reversed and the success signal is the initial manager account being invited to the admin room."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:102
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:131
 msgid "Draupnir for all installation via this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode, except that protections requiring homeserver admin access are not available, and the config file is shared between all bots so legacy protections like wordlist share a single global config."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:133
 msgid "Granting Users the ability to use D4A"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:104
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:135
 msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:106
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:137
-msgid "The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))"
+msgid "The bot requires a power level of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297).) This issue is largely mitigated by the Zero Touch Deployment workflows introduced in Draupnir 3.1.0."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:108
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:139
-msgid "To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially."
+msgid "To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to provision a bot. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:110
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:141
 msgid "How to provision a D4A once you are allowed to"
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:112
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:143
-msgid "To provision a D4A, you need to start a chat with `@draupnir-main:example.com`. The bot will reject this invite and you will shortly get invited to the Draupnir control room for your newly provisioned Draupnir. From here its just a normal Draupnir experience."
+msgid "Once someone is allowed to provision a bot, simply provision them one with `!admin provision MXID`."
 msgstr ""
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:114
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:145
-msgid "Congratulations if you made it all the way here because you now have a fully working Draupnir for all deployment."
+msgid "Self-service provisioning is disabled as a security measure because it is currently bugged. Force-provisioning (with `!admin provision`) bypasses this disabled status."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:147
 msgid "Note that you should always make sure there is an allow entry matching whoever is provisioned, because once self-service is fixed, the bot of anyone who is not allowed to provision a bot will refuse to start."
 msgstr ""
 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:149
 msgid "Congratulations if you made it all the way here, because you now have a fully working Draupnir for all deployment."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,419 +16,487 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-#: ../../../docs/configuring-playbook-bot-draupnir.md:10
+#: ../../../docs/configuring-playbook-bot-draupnir.md:11
 msgid "Setting up Draupnir (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:12
+#: ../../../docs/configuring-playbook-bot-draupnir.md:13
 msgid "The playbook can install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation bot for you."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:14
+#: ../../../docs/configuring-playbook-bot-draupnir.md:15
 msgid "See the project's [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) to learn what it does and why it might be useful to you."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:16
+#: ../../../docs/configuring-playbook-bot-draupnir.md:17
 msgid "This documentation page is about installing Draupnir in bot mode. As an alternative, you can run a multi-instance Draupnir deployment by installing [Draupnir in appservice mode](./configuring-playbook-appservice-draupnir-for-all.md) (called Draupnir-for-all) instead."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:18
+#: ../../../docs/configuring-playbook-bot-draupnir.md:19
 msgid "If your migrating from [Mjolnir](configuring-playbook-bot-mjolnir.md), skip to [this section](#migrating-from-mjolnir-only-required-if-migrating)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:20
+#: ../../../docs/configuring-playbook-bot-draupnir.md:21
 msgid "Prerequisites"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:22
+#: ../../../docs/configuring-playbook-bot-draupnir.md:23
-msgid "Create a management room"
+msgid "Prerequisites for Zero Touch Deployment (recommended)"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:24
+#: ../../../docs/configuring-playbook-bot-draupnir.md:25
-msgid "Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room."
+msgid "As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir bot mode requires you to supply the following:"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:26
+#: ../../../docs/configuring-playbook-bot-draupnir.md:27
-msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+msgid "MXID of the first person who gets invited to the management room that the bot creates for you."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:28
 msgid "A permanent access token for authentication. Instructions for obtaining one can be found at [obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:29
-msgid "It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support))."
+msgid "A user account for Draupnir."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:31
-msgid "Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking \"Advanced\". The room ID will look something like `!qporfwt:example.com`."
+msgid "Zero Touch Deployment is the officially preferred installation method for new deployments of Draupnir as of 3.1.0."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:33
-msgid "End-to-End Encryption support"
+msgid "Create a management room (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:35
 msgid "Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:38
 msgid "Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:40
 msgid "It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support))."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:42
 msgid "E2EE support for the management room is mutually exclusive with Zero Touch Deployment of Draupnir."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:44
 msgid "Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking \"Advanced\". The room ID will look something like `!qporfwt:example.com`."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:46
 msgid "End-to-End Encryption support"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:48
 msgid "Decide whether you want to support having an encrypted management room or not. Draupnir can still protect encrypted rooms without encryption support enabled."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:37
+#: ../../../docs/configuring-playbook-bot-draupnir.md:50
 msgid "Refer to Draupnir's [documentation](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#protecting-encrypted-rooms) for more details about why you might want to care about encryption support for protected rooms."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:39
+#: ../../../docs/configuring-playbook-bot-draupnir.md:52
 msgid "Disable Pantalaimon for Draupnir (since v2.0.0; optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:41
+#: ../../../docs/configuring-playbook-bot-draupnir.md:54
 msgid "It is known that running Draupnir along with Pantalaimon breaks all workflows that involve answering prompts with reactions."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:43
+#: ../../../docs/configuring-playbook-bot-draupnir.md:56
 msgid "If you are updating Draupnir from v1.x.x and have enabled Pantalaimon for it, you can disable Pantalaimon in favor of the native E2EE support. To disable Pantalaimon, remove the configuration `matrix_bot_draupnir_pantalaimon_use: true` from your `vars.yml` file."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:45
+#: ../../../docs/configuring-playbook-bot-draupnir.md:58
 msgid "**Note**: because the management room is still encrypted, disabling it without enabling the native E2EE support will break the management room."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:47
+#: ../../../docs/configuring-playbook-bot-draupnir.md:60
 msgid "Native E2EE support"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:49
+#: ../../../docs/configuring-playbook-bot-draupnir.md:62
 msgid "To enable the native E2EE support, you need to obtain an access token for Draupnir and set it on your `vars.yml` file."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:51
+#: ../../../docs/configuring-playbook-bot-draupnir.md:64
 msgid "Note that native E2EE requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it. **The access token obtained via Element Web does not work with it**. Refer to the documentation on [how to obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:53
+#: ../../../docs/configuring-playbook-bot-draupnir.md:66
 msgid "To enable the native E2EE support, add the following configuration to your `vars.yml` file. Make sure to replace `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained just now."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:64
+#: ../../../docs/configuring-playbook-bot-draupnir.md:77
 msgid "Adjusting the playbook configuration"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:66
+#: ../../../docs/configuring-playbook-bot-draupnir.md:79
-msgid "To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the one of the room which you have created earlier."
+msgid "Configuration for Zero Touch Deployment (recommended)"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:85
+#: ../../../docs/configuring-playbook-bot-draupnir.md:81
-msgid "Create and invite the bot to the management room"
+msgid "To enable the bot using Zero Touch Deployment, add the following configuration to your `vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the management room first, and `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:87
 msgid "Before proceeding to the next step, run the playbook with the following command to create the bot user."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:93
 msgid "**Note**: the `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:95
-msgid "Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier."
+msgid "Configuration without Zero Touch Deployment"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:97
-msgid "Make sure the account is free from rate limiting (optional, recommended)"
+msgid "If you'd prefer to have the bot manage its own login at the cost of having to create the management room manually, you can use native login with the configuration block below. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the ID of the management room you have created earlier."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:99
+#: ../../../docs/configuring-playbook-bot-draupnir.md:116
-msgid "If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**"
+msgid "Running both bot mode and appservice mode"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:101
+#: ../../../docs/configuring-playbook-bot-draupnir.md:118
-msgid "This can be done using Synapse's [Admin APIs](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). They can be accessed both externally and internally."
+msgid "When running both bot mode and [appservice mode (Draupnir for all)](./configuring-playbook-appservice-draupnir-for-all.md), the playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build. This is due to the conditional restart logic not being able to reliably tell when an update happened."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:103
 msgid "**Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:105
 msgid "The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a web UI tool you can use to administrate users, rooms, media, etc. on your Matrix server. The playbook can install and configure Ketesa for you. For details about it, see [this page](configuring-playbook-ketesa.md)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:107
 msgid "Add the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:109
 msgid "To expose the APIs publicly, add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:115
 msgid "Obtain an access token for admin account"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:117
 msgid "Manual access to Synapse's Admin APIs requires an access token for a homeserver admin account. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:119
 msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:122
-msgid "Run the `curl` command"
+msgid "Conditional restarts work correctly for all tags when running only one of these two operating modes."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:124
-msgid "To disable rate limiting, run the following command on systems that ship curl. Before running it, make sure to replace:"
+msgid "Create and invite the bot to the management room (only when using native login without Zero Touch Deployment)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:126
-msgid "`ADMIN_ACCESS_TOKEN_HERE` with the access token of the admin account"
+msgid "Before proceeding to the next step, run the playbook with the following command to create the bot user."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:127
+#: ../../../docs/configuring-playbook-bot-draupnir.md:132
-msgid "`example.com` with your base domain"
+msgid "**Note**: the `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:128
 msgid "`@bot.draupnir:example.com` with the MXID of your Draupnir bot user"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:134
-#: ../../../docs/configuring-playbook-bot-draupnir.md:207
+msgid "Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier."
 msgid "**Notes**:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:135
 msgid "This does not work on outdated Windows 10 as curl is not available there."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:136
-msgid "Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally."
+msgid "Creating a user account for the bot (when using Zero Touch Deployment)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:138
-msgid "Abuse Reports"
+msgid "Since Zero Touch Deployment is not validated with native login, you will need to create the user account manually."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:140
-msgid "Draupnir can receive reports in the management room."
+msgid "Refer to [registering users](registering-users.md) for documentation on how to configure the user account."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:142
-msgid "The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:"
+msgid "Make sure the account is free from rate limiting (optional, recommended)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:144
 msgid "If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:146
 msgid "This can be done using Synapse's [Admin APIs](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). They can be accessed both externally and internally."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:148
-msgid "Enabling synapse-http-antispam support"
+msgid "**Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:150
-msgid "Certain protections in Draupnir require the [synapse-http-antispam](https://github.com/maunium/synapse-http-antispam) module and a Synapse homeserver plus homeserver admin status to function. This module can be enabled in the playbook via setting `matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled` to `true` and making sure that Draupnir admin API access is enabled."
+msgid "The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a web UI tool you can use to administrate users, rooms, media, etc. on your Matrix server. The playbook can install and configure Ketesa for you. For details about it, see [this page](configuring-playbook-ketesa.md)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:152
 msgid "Add the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:154
 msgid "This is automatically done if Ketesa is enabled. Otherwise, to expose the APIs publicly, add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:160
-msgid "These protections need to be manually activated and consulting the [enabling protections](#enabling-built-in-protections) guide can be helpful or consulting upstream documentation."
+msgid "Obtain an access token for admin account"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:168
+#: ../../../docs/configuring-playbook-bot-draupnir.md:162
-msgid "Extending the configuration"
+msgid "Manual access to Synapse's Admin APIs requires an access token for a homeserver admin account. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:170
+#: ../../../docs/configuring-playbook-bot-draupnir.md:165
-msgid "There are some additional things you may wish to configure about the bot."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:167
 msgid "Run the `curl` command"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:169
 msgid "To disable rate limiting, run the following command on systems that ship curl. Before running it, make sure to replace:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:171
 msgid "`ADMIN_ACCESS_TOKEN_HERE` with the access token of the admin account"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:172
-msgid "Take a look at:"
+msgid "`example.com` with your base domain"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:174
+#: ../../../docs/configuring-playbook-bot-draupnir.md:173
-msgid "`roles/custom/matrix-bot-draupnir/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_bot_draupnir_configuration_extension_yaml` variable"
+msgid "`@bot.draupnir:example.com` with the MXID of your Draupnir bot user"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:176
+#: ../../../docs/configuring-playbook-bot-draupnir.md:179
-msgid "For example, to change Draupnir's `acceptInvitesFromSpace` option to `!qporfwt:example.com`, add the following configuration to your `vars.yml` file:"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:254
 msgid "**Notes**:"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:190
+#: ../../../docs/configuring-playbook-bot-draupnir.md:181
-msgid "Migrating from Mjolnir (Only required if migrating)"
+msgid "This does not work on outdated Windows 10 as curl is not available there."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:192
+#: ../../../docs/configuring-playbook-bot-draupnir.md:182
-msgid "Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable Mjolnir if you're doing migration."
+msgid "Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:184
 msgid "Abuse Reports"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:186
 msgid "Draupnir can receive reports in the management room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:188
 msgid "The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:194
-msgid "Note that Draupnir supports E2EE natively, so you can enable it instead of Pantalaimon. It is recommended to consult the instruction [here](#native-e2ee-support)."
+msgid "Enabling synapse-http-antispam support"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:196
-msgid "That is all you need to do due to that Draupnir can complete migration on its own."
+msgid "Certain protections in Draupnir require the [synapse-http-antispam](https://github.com/maunium/synapse-http-antispam) module and a Synapse homeserver plus homeserver admin status to function. This module can be enabled in the playbook via setting `matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled` to `true` and making sure that Draupnir admin API access is enabled."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:198
+#: ../../../docs/configuring-playbook-bot-draupnir.md:206
-msgid "Installing"
+msgid "These protections need to be manually activated. Consulting the [enabling protections](#enabling-built-in-protections) guide and/or upstream documentation can be helpful."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:200
+#: ../../../docs/configuring-playbook-bot-draupnir.md:208
-msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
+msgid "The other method polls a Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin. To enable it, set `pollReports: true` in your `vars.yml` file as below:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:209
 msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:211
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:213
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:215
-msgid "If you change the bot password (`matrix_bot_draupnir_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [Ketesa](configuring-playbook-ketesa.md) to change it, and then update `matrix_bot_draupnir_password` to let the bot know its new password."
+msgid "Extending the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:217
-msgid "Usage"
+msgid "There are some additional things you may wish to configure about the bot."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:219
-msgid "You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide."
+msgid "Take a look at:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:221
-msgid "Below is a **non-exhaustive quick-start guide** for the impatient."
+msgid "`roles/custom/matrix-bot-draupnir/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_bot_draupnir_configuration_extension_yaml` variable"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:223
-msgid "Making Draupnir join and protect a room"
+msgid "For example, to change Draupnir's `acceptInvitesFromSpace` option to `!qporfwt:example.com`, add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:225
 msgid "Draupnir can be told to self-join public rooms, but it's better to follow this flow which works well for all kinds of rooms:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:227
 msgid "Invite the bot to the room manually ([inviting Draupnir to rooms](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#inviting-draupnir-to-rooms)). Before joining, the bot *may* ask for confirmation in the Management Room"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:229
 msgid "[Give the bot permissions to do its job](#giving-draupnir-permissions-to-do-its-job)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:231
 msgid "Tell it to protect the room (using the [rooms command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#using-the-draupnir-rooms-command)) by sending the following command to the Management Room: `!draupnir rooms add !qporfwt:example.com`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:233
 msgid "To have Draupnir provide useful room protection, you need do to a bit more work (at least the first time around). You may wish to [Subscribe to a public policy list](#subscribing-to-a-public-policy-list), [Create your own own policy and rules](#creating-your-own-policy-lists-and-rules) and [Enabling built-in protections](#enabling-built-in-protections)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:235
 msgid "Giving Draupnir permissions to do its job"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:237
-msgid "For Draupnir to do its job, you need to [give it permissions](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#giving-draupnir-permissions) in rooms it's protecting. This involves **giving it an Administrator power level**."
+msgid "Migrating from Mjolnir (Only required if migrating)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:239
-msgid "**We recommend setting this power level as soon as the bot joins your room** (and before you create new rules), so that it can apply rules as soon as they are available. If the bot is under-privileged, it may fail to apply protections and may not retry for a while (or until your restart it)."
+msgid "Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable Mjolnir if you're doing migration."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:241
-msgid "Subscribing to a public policy list"
+msgid "Note that Draupnir supports E2EE natively, so you can enable it instead of Pantalaimon. It is recommended to consult the instruction [here](#native-e2ee-support)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:243
-msgid "We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms)."
+msgid "That is all you need to do due to that Draupnir can complete migration on its own."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:245
-msgid "Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:"
+msgid "Installing"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:247
-msgid "`#community-moderation-effort-bl:neko.dev`"
+msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:248
 msgid "`#huginn-muninn-active-threats:feline.support`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:250
 msgid "You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:252
 msgid "Creating your own policy lists and rules"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:254
 msgid "We also recommend **creating your own policy lists** with the [list create](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-list-create-command-to-create-a-policy-room) command."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:256
-msgid "You can do so by sending the following command to the Management Room: `!draupnir list create my-bans my-bans-bl`. This will create a policy list having a name (shortcode) of `my-bans` and stored in a public `#my-bans-bl:example.com` room on your server. As soon as you run this command, the bot will invite you to the policy list room."
+msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:258
-msgid "A policy list does nothing by itself, so the next step is **adding some rules to your policy list**. Policies target a so-called `entity` (one of: `user`, `room` or `server`). These entities are mentioned on the [policy lists](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists) documentation page and in the Matrix Spec [here](https://spec.matrix.org/v1.11/client-server-api/#mban-recommendation)."
+msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:260
-msgid "The simplest and most useful entity to target is `user`. Below are a few examples using the [ban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-ban-command) and targeting users."
+msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:262
-msgid "To create rules, you run commands in the Management Room (**not** in the policy list room)."
+msgid "If you change the bot password (`matrix_bot_draupnir_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [Ketesa](configuring-playbook-ketesa.md) to change it, and then update `matrix_bot_draupnir_password` to let the bot know its new password."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:264
-msgid "(ban a single user on a given homeserver): `!draupnir ban @charles:example.com my-bans Rude to others`"
+msgid "Usage"
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:265
+#: ../../../docs/configuring-playbook-bot-draupnir.md:266
-msgid "(ban all users on a given homeserver by using a [wildcard](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#wildcards)): `!draupnir ban @*:example.org my-bans Spam server, all users are fake`"
+msgid "You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-draupnir.md:267
+#: ../../../docs/configuring-playbook-bot-draupnir.md:268
-msgid "As a result of running these commands, you may observe:"
+msgid "Below is a **non-exhaustive quick-start guide** for the impatient."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:269
 msgid "Draupnir creating `m.policy.rule.user` state events in the `#my-bans-bl:example.com` room on your server"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:270
-msgid "applying these rules against all rooms that Draupnir is an Administrator in"
+msgid "Making Draupnir join and protect a room"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:272
-msgid "You can undo bans with the [unban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-unban-command)."
+msgid "Draupnir can be told to self-join public rooms, but it's better to follow this flow which works well for all kinds of rooms:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:274
-msgid "Enabling built-in protections"
+msgid "Invite the bot to the room manually ([inviting Draupnir to rooms](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#inviting-draupnir-to-rooms)). Before joining, the bot *may* ask for confirmation in the Management Room"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:276
-msgid "You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` (\"If X amount of users join in Y time, set the room to invite-only\")."
+msgid "[Give the bot permissions to do its job](#giving-draupnir-permissions-to-do-its-job)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:278
-msgid "To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room."
+msgid "Tell it to protect the room (using the [rooms command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#using-the-draupnir-rooms-command)) by sending the following command to the Management Room: `!draupnir rooms add !qporfwt:example.com`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:280
-msgid "To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`)."
+msgid "To have Draupnir provide useful room protection, you need do to a bit more work (at least the first time around). You may wish to [Subscribe to a public policy list](#subscribing-to-a-public-policy-list), [Create your own own policy and rules](#creating-your-own-policy-lists-and-rules) and [Enabling built-in protections](#enabling-built-in-protections)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:282
-msgid "To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`)."
+msgid "Giving Draupnir permissions to do its job"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:284
-msgid "To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`)."
+msgid "For Draupnir to do its job, you need to [give it permissions](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#giving-draupnir-permissions) in rooms it's protecting. This involves **giving it an Administrator power level**."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:286
 msgid "**We recommend setting this power level as soon as the bot joins your room** (and before you create new rules), so that it can apply rules as soon as they are available. If the bot is under-privileged, it may fail to apply protections and may not retry for a while (or until your restart it)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:288
 msgid "Subscribing to a public policy list"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:290
 msgid "We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:292
 msgid "Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:294
 msgid "`#community-moderation-effort-bl:neko.dev`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:295
 msgid "`#huginn-muninn-active-threats:feline.support`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:297
 msgid "You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:299
 msgid "Creating your own policy lists and rules"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:301
 msgid "We also recommend **creating your own policy lists** with the [list create](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-list-create-command-to-create-a-policy-room) command."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:303
 msgid "You can do so by sending the following command to the Management Room: `!draupnir list create my-bans my-bans-bl`. This will create a policy list having a name (shortcode) of `my-bans` and stored in a public `#my-bans-bl:example.com` room on your server. As soon as you run this command, the bot will invite you to the policy list room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:305
 msgid "A policy list does nothing by itself, so the next step is **adding some rules to your policy list**. Policies target a so-called `entity` (one of: `user`, `room` or `server`). These entities are mentioned on the [policy lists](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists) documentation page and in the Matrix Spec [here](https://spec.matrix.org/v1.11/client-server-api/#mban-recommendation)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:307
 msgid "The simplest and most useful entity to target is `user`. Below are a few examples using the [ban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-ban-command) and targeting users."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:309
 msgid "To create rules, you run commands in the Management Room (**not** in the policy list room)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:311
 msgid "(ban a single user on a given homeserver): `!draupnir ban @charles:example.com my-bans Rude to others`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:312
 msgid "(ban all users on a given homeserver by using a [wildcard](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#wildcards)): `!draupnir ban @*:example.org my-bans Spam server, all users are fake`"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:314
 msgid "As a result of running these commands, you may observe:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:316
 msgid "Draupnir creating `m.policy.rule.user` state events in the `#my-bans-bl:example.com` room on your server"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:317
 msgid "applying these rules against all rooms that Draupnir is an Administrator in"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:319
 msgid "You can undo bans with the [unban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-unban-command)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:321
 msgid "Enabling built-in protections"
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:323
 msgid "You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` (\"If X amount of users join in Y time, set the room to invite-only\")."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:325
 msgid "To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:327
 msgid "To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:329
 msgid "To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:331
 msgid "To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-draupnir.md:333
 msgid "To **disable a given protection**, send a command like this: `!draupnir protections disable PROTECTION_NAME` (e.g. `!draupnir protections disable JoinWaveShortCircuitProtection`)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -64,8 +64,8 @@ msgstr ""
 msgid "The bot requires an access token to be able to connect to your homeserver. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-go-neb.md:39
+#: ../../../docs/configuring-playbook-bot-go-neb.md:40
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-go-neb.md:42
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -177,8 +177,8 @@ msgstr ""
 msgid "Alternatively, you can refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). Be aware that you'd better use the **Obtain an access token via curl** method (not **Obtain an access token via Element Web**) as the latter will causes issues to your bot in encrypted rooms. Read [more](https://docs.mau.fi/maubot/usage/basic.html#creating-clients)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-maubot.md:123
+#: ../../../docs/configuring-playbook-bot-maubot.md:124
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-maubot.md:126
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -60,9 +60,9 @@ msgstr ""
 msgid "The bot requires an access token to be able to connect to your homeserver. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-mjolnir.md:38
+#: ../../../docs/configuring-playbook-bot-mjolnir.md:39
-#: ../../../docs/configuring-playbook-bot-mjolnir.md:63
+#: ../../../docs/configuring-playbook-bot-mjolnir.md:64
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-mjolnir.md:41
@@ -142,8 +142,8 @@ msgstr ""
 msgid "Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room."
 msgstr ""
-#: ../../../docs/configuring-playbook-bot-mjolnir.md:86
+#: ../../../docs/configuring-playbook-bot-mjolnir.md:87
-msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+msgid "Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
 msgstr ""
 #: ../../../docs/configuring-playbook-bot-mjolnir.md:89
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -28,8 +28,8 @@ msgstr ""
 msgid "See the project's [documentation](https://src.miscworks.net/fair/matrix-appservice-kakaotalk/src/branch/master/README.md) to learn what it does and why it might be useful to you."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-appservice-kakaotalk.md:16
+#: ../../../docs/configuring-playbook-bridge-appservice-kakaotalk.md:17
-msgid "[!WARNING] There have been recent reports (~2022-09-16) that **using this bridge may get your account banned**."
+msgid "There have been recent reports (~2022-09-16) that **using this bridge may get your account banned**."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-appservice-kakaotalk.md:19
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,7 +29,7 @@ msgid "The playbook can install and configure [mautrix-telegram](https://github.
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:20
-msgid "See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/index.html) to learn what it does and why it might be useful to you."
+msgid "See the project's [documentation](https://docs.mau.fi/bridges/go/telegram/index.html) to learn what it does and why it might be useful to you."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:22
@@ -45,11 +45,11 @@ msgid "To use the bridge, you'd need to obtain an API key from [https://my.teleg
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:28
-msgid "Enable Appservice Double Puppet or Shared Secret Auth (optional)"
+msgid "Enable Appservice Double Puppet (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:30
-msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) or [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook."
+msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:32
@@ -57,113 +57,85 @@ msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:34
 msgid "**Notes**:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:36
 msgid "Double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:38
 msgid "If you decided to enable Double Puppeting manually, send `login-matrix` to the bot in order to receive an instruction about how to send an access token to it."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:40
 msgid "Adjusting the playbook configuration"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:42
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:36
 msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `YOUR_TELEGRAM_APP_ID` and `YOUR_TELEGRAM_API_HASH`."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:50
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:44
 msgid "Relaying"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:52
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:46
-msgid "Enable relay-bot (optional)"
+msgid "This bridge supports the common [mautrix bridge relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional). Once enabled, any authenticated user can be turned into a relaybot for a chat by sending `!tg set-relay` in that chat."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:54
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:48
 msgid "If you want to use the relay-bot feature ([relay bot documentation](https://docs.mau.fi/bridges/python/telegram/relay-bot.html)), which allows anonymous user to chat with telegram users, add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:64
 msgid "Configure a user as an administrator of the bridge (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:66
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:50
 msgid "You might also want to give permissions to a user to administrate the bot. See [this section](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional) on the common guide for details about it."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:68
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:52
 msgid "More details about permissions in this example: https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml#L410"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:70
 msgid "Use the bridge for direct chats only (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:72
 msgid "If you want to exclude all groups from syncing and use the Telegram-Bridge only for direct chats, add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:78
 msgid "Extending the configuration"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:80
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:54
 msgid "There are some additional things you may wish to configure about the bridge."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:83
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:56
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:85
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:58
 msgid "Installing"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:87
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:60
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:94
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:67
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:96
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:69
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:98
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:71
 msgid "Usage"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:100
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:73
 msgid "To use the bridge, you need to start a chat with `@telegrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:102
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:75
-msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/telegram/authentication.html)."
+msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/telegram/authentication.html)."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:104
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:77
-msgid "After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them. Note that the bridge won't automatically create rooms for private chats."
+msgid "After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:106
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:79
 msgid "Troubleshooting"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:108
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:81
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-telegram`."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:110
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:83
 msgid "Increase logging verbosity"
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:112
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:85
-msgid "The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
+msgid "The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
 msgstr ""
@@ -0,0 +1,133 @@
 # SOME DESCRIPTIVE TITLE.
 # Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
 # This file is distributed under the same license as the matrix-docker-ansible-deploy package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:8
 msgid "Setting up a Matrix <-> Meshtastic bridge (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:10
 msgid "The playbook can install and configure [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (sometimes referred to as `mmrelay`) for you — a bridge between [Matrix](https://matrix.org/) and [Meshtastic](https://meshtastic.org/) mesh networks."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:12
 msgid "See the [project's documentation](https://github.com/jeremiah-k/meshtastic-matrix-relay) to learn what it does and why it might be useful to you."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:14
 msgid "Prerequisites"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:16
 msgid "You need a Matrix account for the bot. You can either [register the bot account manually](registering-users.md) or let the playbook create it when running `ansible-playbook … --tags=ensure-matrix-users-created`. Either way, you'll need the account's **password** to configure the bridge — unlike most other bridges in this playbook, `mmrelay` authenticates with a password and creates its own session (optionally with End-to-End Encryption material)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:18
 msgid "You also need access to a Meshtastic device, connected to the server via one of:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:20
 msgid "**TCP**: the device is reachable on the network (e.g. a Meshtastic node running the TCP API),"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:21
 msgid "**Serial**: the device is plugged in via USB and available on the host (e.g. `/dev/ttyUSB0`),"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:22
 msgid "**BLE**: the device is reachable via Bluetooth Low Energy from the host."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:24
 msgid "Adjusting the playbook configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:26
 msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:56
 msgid "By default, the bot's Matrix ID is `@meshtasticbot:{{ matrix_domain }}`. To change it, adjust `matrix_meshtastic_relay_matrix_bot_user_id`."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:58
 msgid "Bluetooth (BLE) connections"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:60
 msgid "When `matrix_meshtastic_relay_connection_type` is `ble`, the container runs with `--network=host` and bind-mounts the host's DBus socket — both are required for Bluetooth pairing/communication. Only use this connection type if you trust the playbook-managed host and are comfortable with these privileges."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:62
 msgid "Serial connections"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:64
 msgid "When `matrix_meshtastic_relay_connection_type` is `serial`, the host device referenced by `matrix_meshtastic_relay_serial_port` is passed through to the container. Make sure that `matrix_user_uid` / `matrix_user_gid` have read/write access to that device (e.g. by adding the matrix user to the `dialout` group, or adjusting udev rules)."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:66
 msgid "Extending the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:68
 msgid "There are some additional things you may wish to configure about the bridge."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:70
 msgid "Take a look at:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:72
 msgid "`roles/custom/matrix-bridge-meshtastic-relay/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override individual `matrix_meshtastic_relay_*` variables, or make finer-grained adjustments via `matrix_meshtastic_relay_configuration_extension_yaml`."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:74
 msgid "Installing"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:76
 msgid "After configuring the playbook, run the playbook with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:83
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:85
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:87
 msgid "Usage"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:89
 msgid "Invite the bot to the Matrix rooms listed in `matrix_meshtastic_relay_matrix_rooms_list` and it will relay between Matrix and the corresponding Meshtastic channel. Messages sent on Meshtastic will appear in Matrix and vice versa."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:91
 msgid "See the [project's wiki](https://github.com/jeremiah-k/meshtastic-matrix-relay/wiki) for details about commands, plugins and advanced usage."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:93
 msgid "Troubleshooting"
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:95
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-meshtastic-relay`."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -28,8 +28,8 @@ msgstr ""
 msgid "See the project's [documentation](https://github.com/duo/matrix-wechat/blob/master/README.md) to learn what it does and why it might be useful to you."
 msgstr ""
-#: ../../../docs/configuring-playbook-bridge-wechat.md:14
+#: ../../../docs/configuring-playbook-bridge-wechat.md:15
-msgid "[!WARNING] This bridge does not work against newer versions of Synapse anymore. See [this issue](https://github.com/duo/matrix-wechat/issues/33). Don't even bother installing it. Unless bridge maintenance is resumed and fixes this issue, we have no choice but to remove it from the playbook."
+msgid "This bridge does not work against newer versions of Synapse anymore. See [this issue](https://github.com/duo/matrix-wechat/issues/33). Don't even bother installing it. Unless bridge maintenance is resumed and fixes this issue, we have no choice but to remove it from the playbook."
 msgstr ""
 #: ../../../docs/configuring-playbook-bridge-wechat.md:17
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -32,10 +32,6 @@ msgstr ""
 msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document."
 msgstr ""
 #: ../../../docs/configuring-playbook-conduit.md:16
 msgid "[!WARNING]"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduit.md:17
 msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -37,21 +37,29 @@ msgid "To uninstall the service, run the command below on the server:"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:32
-msgid "Migrating to Continuwuity"
+msgid "Migrating to Tuwunel"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:34
-msgid "Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details."
+msgid "[Tuwunel](configuring-playbook-tuwunel.md) is a fork of conduwuit, [endorsed as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185) by the former conduwuit maintainer. It reads conduwuit's database directly, so migration is possible. Please refer to [this section](./configuring-playbook-tuwunel.md#migrating-from-conduwuit) for details."
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:36
-msgid "Removing data manually"
+msgid "Migrating to Continuwuity"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:38
-msgid "If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:"
+msgid "Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details."
 msgstr ""
-#: ../../../docs/configuring-playbook-conduwuit.md:44
+#: ../../../docs/configuring-playbook-conduwuit.md:40
-msgid "[!WARNING] Once you removing the path, there is no going back. Your data on the homeserver (including chat history, rooms, etc.) will be deleted and not be possible to restore them. Please be certain."
+msgid "Removing data manually"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:42
 msgid "If you are not going to migrate to [Tuwunel](configuring-playbook-tuwunel.md) or [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:"
 msgstr ""
 #: ../../../docs/configuring-playbook-conduwuit.md:49
 msgid "Once you removing the path, there is no going back. Your data on the homeserver (including chat history, rooms, etc.) will be deleted and not be possible to restore them. Please be certain."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -36,10 +36,6 @@ msgstr ""
 msgid "💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook has supported."
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:18
 msgid "[!WARNING]"
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:19
 msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet."
 msgstr ""
@@ -81,81 +77,97 @@ msgid "There are various Ansible variables that control settings in the `continu
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:49
 msgid "💡 By default, the playbook wires Continuwuity into a few playbook-wide settings:"
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:51
 msgid "if `exim_relay_enabled: true` (the default), Continuwuity SMTP is automatically enabled and pointed at the [local Exim relay](configuring-playbook-email.md) service"
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:52
 msgid "`matrix_continuwuity_config_well_known_client` is automatically set to the public homeserver URL in the usual SSL-enabled setup, which helps email verification and password-reset links work in delegated-domain setups"
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:54
 msgid "You can override any of these defaults in your `vars.yml` file if you want Continuwuity to use a different SMTP server or a different well-known client URL."
 msgstr ""
 #: ../../../docs/configuring-playbook-continuwuity.md:56
 msgid "If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:57
+#: ../../../docs/configuring-playbook-continuwuity.md:64
 msgid "Creating the first user account"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:59
+#: ../../../docs/configuring-playbook-continuwuity.md:66
 msgid "Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:61
+#: ../../../docs/configuring-playbook-continuwuity.md:68
 msgid "On first startup, Continuwuity creates a special one-time-use registration token and logs it to the server's console. To access this, you will need to SSH into the server and run the following command:"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:68
+#: ../../../docs/configuring-playbook-continuwuity.md:75
 msgid "Find the token, highlight it, and copy it (ctrl+shift+C). This token should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:70
+#: ../../../docs/configuring-playbook-continuwuity.md:77
 msgid "The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:73
+#: ../../../docs/configuring-playbook-continuwuity.md:80
 msgid "Configuring bridges / appservices"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:75
+#: ../../../docs/configuring-playbook-continuwuity.md:82
 msgid "For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:77
+#: ../../../docs/configuring-playbook-continuwuity.md:84
 msgid "For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:79
+#: ../../../docs/configuring-playbook-continuwuity.md:86
 msgid "The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. Your first user account would already have been invited to an admin room with this bot."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:82
+#: ../../../docs/configuring-playbook-continuwuity.md:89
 msgid "Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:84
+#: ../../../docs/configuring-playbook-continuwuity.md:91
 msgid "Then, send its content to the existing admin room:"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:108
+#: ../../../docs/configuring-playbook-continuwuity.md:115
 msgid "Migrating from conduwuit"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:110
+#: ../../../docs/configuring-playbook-continuwuity.md:117
 msgid "Since Continuwuity is a drop-in replacement for [conduwuit](configuring-playbook-conduwuit.md), migration is possible."
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:112
+#: ../../../docs/configuring-playbook-continuwuity.md:119
 msgid "Make sure that Continuwuity is properly set up on your `vars.yml` as described above"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:114
+#: ../../../docs/configuring-playbook-continuwuity.md:121
 msgid "Make sure that Conduwuit references are removed from your `vars.yml` file"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:116
+#: ../../../docs/configuring-playbook-continuwuity.md:123
 msgid "Run the installation in a way that installs new services and uninstalls old ones (e.g. `just setup-all`)"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:118
+#: ../../../docs/configuring-playbook-continuwuity.md:125
 msgid "Run the playbook with the `continuwuity-migrate-from-conduwuit` tag (e.g. `just run-tags continuwuity-migrate-from-conduwuit`). This migrates data from `/matrix/conduwuit` to `/matrix/continuwuity`"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:120
+#: ../../../docs/configuring-playbook-continuwuity.md:127
 msgid "Troubleshooting"
 msgstr ""
-#: ../../../docs/configuring-playbook-continuwuity.md:122
+#: ../../../docs/configuring-playbook-continuwuity.md:129
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-continuwuity`."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -32,10 +32,6 @@ msgstr ""
 msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document."
 msgstr ""
 #: ../../../docs/configuring-playbook-dendrite.md:17
 msgid "[!WARNING]"
 msgstr ""
 #: ../../../docs/configuring-playbook-dendrite.md:18
 msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Dendrite). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -92,8 +92,8 @@ msgstr ""
 msgid "Example additional configuration for your `vars.yml` file:"
 msgstr ""
-#: ../../../docs/configuring-playbook-element-admin.md:53
+#: ../../../docs/configuring-playbook-element-admin.md:54
-msgid "[!WARNING] A `matrix_element_admin_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Admin service, but **Element Admin does not support running under a sub-path yet**."
+msgid "A `matrix_element_admin_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Admin service, but **Element Admin does not support running under a sub-path yet**."
 msgstr ""
 #: ../../../docs/configuring-playbook-element-admin.md:56
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -52,8 +52,8 @@ msgstr ""
 msgid "(Optional) Guest accounts being enabled for your Matrix server, if you'd like guests to be able to use Element Call. See [Allowing guests to use Element Call](#allowing-guests-to-use-element-call-optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook-element-call.md:23
+#: ../../../docs/configuring-playbook-element-call.md:24
-msgid "[!WARNING]  Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**."
+msgid "Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**."
 msgstr ""
 #: ../../../docs/configuring-playbook-element-call.md:26
@@ -192,8 +192,8 @@ msgstr ""
 msgid "Example additional configuration for your `vars.yml` file:"
 msgstr ""
-#: ../../../docs/configuring-playbook-element-call.md:82
+#: ../../../docs/configuring-playbook-element-call.md:83
-msgid "[!WARNING] A `matrix_element_call_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Call service, but [Element Call does not support running under a sub-path yet](https://github.com/element-hq/element-call/issues/3084)."
+msgid "A `matrix_element_call_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Call service, but [Element Call does not support running under a sub-path yet](https://github.com/element-hq/element-call/issues/3084)."
 msgstr ""
 #: ../../../docs/configuring-playbook-element-call.md:85
@@ -208,8 +208,8 @@ msgstr ""
 msgid "If you'd like guests to be able to use Element Call as well, you need to enable guest accounts support for your homeserver."
 msgstr ""
-#: ../../../docs/configuring-playbook-element-call.md:91
+#: ../../../docs/configuring-playbook-element-call.md:92
-msgid "[!WARNING] Enabling guest accounts means that your homeserver's user database may get polluted with guest account signups (potentially made by bots). Guest accounts should be limited in what (damage) they can do to your server and the rest of the Matrix ecosystem, but it's better to not enable them unless necessary."
+msgid "Enabling guest accounts means that your homeserver's user database may get polluted with guest account signups (potentially made by bots). Guest accounts should be limited in what (damage) they can do to your server and the rest of the Matrix ecosystem, but it's better to not enable them unless necessary."
 msgstr ""
 #: ../../../docs/configuring-playbook-element-call.md:95
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -53,7 +53,7 @@ msgid "**Final delivery capability**: Can deliver emails directly if you don't h
 msgstr ""
 #: ../../../docs/configuring-playbook-email.md:26
-msgid "**Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), etc.) there—no need to configure SMTP in each component"
+msgid "**Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), [Continuwuity](configuring-playbook-continuwuity.md), etc.) there, with no need to configure SMTP in each component"
 msgstr ""
 #: ../../../docs/configuring-playbook-email.md:28
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,15 +41,15 @@ msgid "If you wish to disable federation, you can do that with an empty list (`[
 msgstr ""
 #: ../../../docs/configuring-playbook-federation.md:27
-msgid "Exposing the room directory over federation"
+msgid "Controlling exposure of the room directory over federation"
 msgstr ""
 #: ../../../docs/configuring-playbook-federation.md:29
-msgid "By default, your server's public rooms directory is not exposed to other servers via federation."
+msgid "By default, your server's public rooms directory is exposed to other servers via federation, so that public rooms hosted on your server can be discovered by users on other servers. This goes against the Synapse upstream default (which is `false`); see the [2023-10-23 changelog entry](../CHANGELOG.md#enabling-allow_public_rooms_over_federation-by-default-for-synapse) for the reasoning behind this choice."
 msgstr ""
 #: ../../../docs/configuring-playbook-federation.md:31
-msgid "To expose it, add the following configuration to your `vars.yml` file:"
+msgid "To prevent your public rooms directory from being exposed over federation (restoring the Synapse upstream default), add the following configuration to your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-federation.md:37
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -124,8 +124,8 @@ msgstr ""
 msgid "To enable the Gravatar service nevertheless, add the following configuration to your `vars.yml` file:"
 msgstr ""
-#: ../../../docs/configuring-playbook-jitsi.md:90
+#: ../../../docs/configuring-playbook-jitsi.md:91
-msgid "[!WARNING] This will result in third party request leaking data to the Gravatar Service (`gravatar.com`, unless configured otherwise). Besides metadata, the Matrix user_id and possibly the room ID (via `referrer` header) will be also sent to the third party."
+msgid "This will result in third party request leaking data to the Gravatar Service (`gravatar.com`, unless configured otherwise). Besides metadata, the Matrix user_id and possibly the room ID (via `referrer` header) will be also sent to the third party."
 msgstr ""
 #: ../../../docs/configuring-playbook-jitsi.md:93
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -28,10 +28,6 @@ msgstr ""
 msgid "Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support. See the [Ketesa v1.0.0 announcement](https://etke.cc/blog/introducing-ketesa/) for a full overview of what's new."
 msgstr ""
 #: ../../../docs/configuring-playbook-ketesa.md:20
 msgid "[!NOTE]"
 msgstr ""
 #: ../../../docs/configuring-playbook-ketesa.md:22
 msgid "Ketesa does not work with other homeserver implementations than Synapse due to API's incompatibility."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-20 02:45+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -25,7 +25,7 @@ msgid "The playbook can install and configure the [matrix-synapse-ldap3](https:/
 msgstr ""
 #: ../../../docs/configuring-playbook-ldap-auth.md:14
-msgid "See the project's [documentation](https://github.com/matrix-org/matrix-synapse-ldap3/blob/main/README.rst) to learn what it does and why it might be useful to you."
+msgid "See the project's [documentation](https://github.com/matrix-org/matrix-synapse-ldap3/blob/main/README.md) to learn what it does and why it might be useful to you."
 msgstr ""
 #: ../../../docs/configuring-playbook-ldap-auth.md:16
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-18 07:22+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -117,21 +117,33 @@ msgid "and configuring their own Traefik TCP entrypoint dedicated to LiveKit TUR
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:64
-msgid "Limitations"
+msgid "TURN access controls"
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:66
-msgid "LiveKit Server's TURN listener behavior depends on where TLS is terminated:"
+msgid "LiveKit's embedded TURN server enforces a credential TTL and restricts which peer CIDRs it will relay to. The playbook leaves these at the role's secure defaults, which are appropriate for typical deployments where TURN peers live on the public Internet."
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:68
 msgid "If your setup needs TURN to relay to private/restricted ranges, or you want to override the credential TTL, see the [TURN access controls and credential TTL](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server/blob/main/docs/configuring-livekit-server.md#turn-access-controls-and-credential-ttl) section of the role's documentation."
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:70
 msgid "Limitations"
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:72
 msgid "LiveKit Server's TURN listener behavior depends on where TLS is terminated:"
 msgstr ""
 #: ../../../docs/configuring-playbook-livekit-server.md:74
 msgid "Direct LiveKit TURN listeners (`livekit_server_config_turn_external_tls: false`) still use IPv4-only sockets for `3479/udp` and `5350/tcp`, so IPv6 connectivity to these endpoints is not possible."
 msgstr ""
-#: ../../../docs/configuring-playbook-livekit-server.md:69
+#: ../../../docs/configuring-playbook-livekit-server.md:75
 msgid "With [TURN TLS handling](#turn-tls-handling) (`livekit_server_config_turn_external_tls: true`), the playbook's dedicated `matrix-livekit-turn` TCP entrypoint can still listen on both IPv4 and IPv6. Traefik then forwards TURN/TCP to LiveKit."
 msgstr ""
-#: ../../../docs/configuring-playbook-livekit-server.md:71
+#: ../../../docs/configuring-playbook-livekit-server.md:77
 msgid "It appears that LiveKit Server intentionally only listens on `udp4` and `tcp4` in direct mode, as seen [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L128) and [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L92)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -20,8 +20,8 @@ msgstr ""
 msgid "Setting up Matrix Corporal (optional, advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-corporal.md:11
+#: ../../../docs/configuring-playbook-matrix-corporal.md:12
-msgid "[!WARNING] This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal](https://github.com/devture/matrix-corporal). If you're unsure whether you have such a need, you most likely don't."
+msgid "This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal](https://github.com/devture/matrix-corporal). If you're unsure whether you have such a need, you most likely don't."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-corporal.md:14
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,166 +16,22 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 #: ../../../docs/configuring-playbook-matrix-registration.md:9
 msgid "Setting up matrix-registration (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:11
 msgid "[!WARNING]"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:12
 msgid "This is a poorly maintained and buggy project. It's better to avoid using it."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:13
 msgid "This is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:15
 msgid "The playbook can install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration) for you. It is a simple python application to have a token based Matrix registration."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:17
 msgid "Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows certain people (these having a special link) to register a user account, **keeping your server's registration closed (private)**."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:19
-msgid "**matrix-registration** provides 2 things:"
+msgid "Setting up matrix-registration (optional, removed)"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-registration.md:21
+#: ../../../docs/configuring-playbook-matrix-registration.md:22
-msgid "**an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)"
+msgid "This is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-registration.md:23
+#: ../../../docs/configuring-playbook-matrix-registration.md:24
-msgid "**a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.example.com/matrix-registration`"
+msgid "🪦 The playbook used to be able to install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration), but no longer includes this component, as it has been unmaintained since November, 2025."
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-registration.md:25
+#: ../../../docs/configuring-playbook-matrix-registration.md:26
-msgid "Adjusting DNS records (optional)"
+msgid "Uninstalling the component manually"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-registration.md:27
+#: ../../../docs/configuring-playbook-matrix-registration.md:28
-msgid "By default, this playbook installs the matrix-registration on the `matrix.` subdomain, at the `/matrix-registration` path (https://matrix.example.com/matrix-registration). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section."
+msgid "If you still have matrix-registration installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:29
 msgid "If you wish to adjust it, see the section [below](#adjusting-the-matrix-registration-url-optional) for details about DNS configuration."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:31
 msgid "Adjusting the playbook configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:33
 msgid "To enable matrix-registration, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:42
 msgid "Adjusting the matrix-registration URL (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:44
 msgid "By tweaking the `matrix_registration_hostname` and `matrix_registration_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:46
 msgid "Example additional configuration for your `vars.yml` file:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:54
 msgid "If you've changed the default hostname, you may need to create a CNAME record for the matrix-registration domain (`registration.example.com`), which targets `matrix.example.com`."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:56
 msgid "When setting, replace `example.com` with your own."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:58
 msgid "Extending the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:60
 msgid "There are some additional things you may wish to configure about the component."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:62
 msgid "Take a look at:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:64
 msgid "`roles/custom/matrix-registration/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:65
 msgid "`roles/custom/matrix-registration/templates/config.yaml.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_registration_configuration_extension_yaml` variable"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:67
 msgid "Installing"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:69
 msgid "After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:76
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:78
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:80
 msgid "Usage"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:82
 msgid "**matrix-registration** gets exposed at `https://matrix.example.com/matrix-registration`"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:84
 msgid "It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) — for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:86
 msgid "We make the most common APIs easy to use via the playbook (see below)."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:88
 msgid "Creating registration tokens"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:90
 msgid "To **create a new user registration token (link)**, use this command:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:98
 msgid "The above command creates and returns a **one-time use** token, which **expires** on the 31st of December 2021. Adjust the `one_time` and `ex_date` variables as you see fit."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:100
 msgid "Share the unique registration link (generated by the command above) with users to let them register on your Matrix server."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:102
 msgid "Listing registration tokens"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:104
 msgid "To **list the existing user registration tokens**, use this command:"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:111
 msgid "The shortcut command with `just` program is also available: `just run-tags list-matrix-registration-tokens`"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:113
 msgid "Troubleshooting"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-registration.md:115
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-registration`."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -56,8 +56,8 @@ msgstr ""
 msgid "A client compatible with Element Call. As of 2025-03-15, that's just [Element Web](configuring-playbook-client-element-web.md) and the Element X mobile clients (iOS and Android)."
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:24
+#: ../../../docs/configuring-playbook-matrix-rtc.md:25
-msgid "[!WARNING]  Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**."
+msgid "Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:27
@@ -77,29 +77,41 @@ msgid "In addition to the HTTP/HTTPS ports (which you've already exposed as per
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:41
-msgid "Installing"
+msgid "Fronting the integrated reverse-proxy with another reverse-proxy"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:43
 msgid "If you're [fronting the integrated reverse-proxy webserver with another reverse-proxy](configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) (e.g. nginx), it needs to forward WebSocket traffic for [LiveKit Server](configuring-playbook-livekit-server.md) at the `/livekit-server/` path. Without that, Matrix RTC calls will not work."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:45
 msgid "See [`examples/reverse-proxies/nginx/matrix.conf`](../examples/reverse-proxies/nginx/matrix.conf) for an nginx example."
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:47
 msgid "Installing"
 msgstr ""
 #: ../../../docs/configuring-playbook-matrix-rtc.md:49
 msgid "After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:50
+#: ../../../docs/configuring-playbook-matrix-rtc.md:56
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:52
+#: ../../../docs/configuring-playbook-matrix-rtc.md:58
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:54
+#: ../../../docs/configuring-playbook-matrix-rtc.md:60
 msgid "Usage"
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:56
+#: ../../../docs/configuring-playbook-matrix-rtc.md:62
 msgid "Once installed, Matrix clients which support Element Call (like [Element Web](configuring-playbook-client-element-web.md) and Element X on mobile (iOS and Android)) will automatically use the Matrix RTC stack."
 msgstr ""
-#: ../../../docs/configuring-playbook-matrix-rtc.md:58
+#: ../../../docs/configuring-playbook-matrix-rtc.md:64
 msgid "These clients typically embed the Element Call frontend UI within them, so installing [Element Call](configuring-playbook-element-call.md) is only necessary if you'd like to use it standalone - directly via a browser."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -24,8 +24,8 @@ msgstr ""
 msgid "The playbook can install [Prometheus](https://prometheus.io/) with [Grafana](https://grafana.com/) and configure performance metrics of your homeserver with graphs for you."
 msgstr ""
-#: ../../../docs/configuring-playbook-prometheus-grafana.md:18
+#: ../../../docs/configuring-playbook-prometheus-grafana.md:19
-msgid "[!WARNING] Metrics and graphs contain a lot of information, and anyone who has access to them can make an educated guess about your server usage patterns. This especially applies to small personal/family scale homeservers, where the number of samples is fairly limited. Analyzing the metrics over time, one might be able to figure out your life cycle, such as when you wake up, go to bed, etc. Before enabling (anonymous) access, you should carefully evaluate the risk, and if you do enable it, it is highly recommended to change your Grafana password from the default one."
+msgid "Metrics and graphs contain a lot of information, and anyone who has access to them can make an educated guess about your server usage patterns. This especially applies to small personal/family scale homeservers, where the number of samples is fairly limited. Analyzing the metrics over time, one might be able to figure out your life cycle, such as when you wake up, go to bed, etc. Before enabling (anonymous) access, you should carefully evaluate the risk, and if you do enable it, it is highly recommended to change your Grafana password from the default one."
 msgstr ""
 #: ../../../docs/configuring-playbook-prometheus-grafana.md:21
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -64,8 +64,8 @@ msgstr ""
 msgid "The role also supports the legacy `traefik_dashboard_basicauth_user` / `traefik_dashboard_basicauth_password` convenience variables, but that path depends on the `passlib` Python library on the Ansible controller, may be affected by passlib/bcrypt compatibility issues, and generates non-deterministic hashes which can lead to unnecessary changes."
 msgstr ""
-#: ../../../docs/configuring-playbook-traefik.md:53
+#: ../../../docs/configuring-playbook-traefik.md:54
-msgid "[!WARNING] Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts."
+msgid "Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts."
 msgstr ""
 #: ../../../docs/configuring-playbook-traefik.md:56
@@ -145,8 +145,8 @@ msgstr ""
 msgid "With these changes, all TCP traffic will be reverse-proxied to the target system."
 msgstr ""
-#: ../../../docs/configuring-playbook-traefik.md:170
+#: ../../../docs/configuring-playbook-traefik.md:171
-msgid "[!WARNING] This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```."
+msgid "This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```."
 msgstr ""
 #: ../../../docs/configuring-playbook-traefik.md:173
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -92,8 +92,8 @@ msgstr ""
 msgid "If you'd like to rely on external IP address auto-detection (not recommended unless you need it), avoid configuring this variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable."
 msgstr ""
-#: ../../../docs/configuring-playbook-turn.md:57
+#: ../../../docs/configuring-playbook-turn.md:58
-msgid "[!NOTE] You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview."
+msgid "You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview."
 msgstr ""
 #: ../../../docs/configuring-playbook-turn.md:60
@@ -0,0 +1,269 @@
 # SOME DESCRIPTIVE TITLE.
 # Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
 # This file is distributed under the same license as the matrix-docker-ansible-deploy package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-05-21 19:21+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 #: ../../../docs/configuring-playbook-tuwunel.md:8
 msgid "Configuring Tuwunel (optional)"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:10
 msgid "The playbook can install and configure the [Tuwunel](https://matrix-construct.github.io/tuwunel/) Matrix homeserver for you."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:12
 msgid "Tuwunel is a featureful homeserver written entirely in Rust, intended as a scalable, low-cost, enterprise-ready alternative to Synapse that fully implements the [Matrix specification](https://spec.matrix.org/latest/) for all but the most niche uses. It is the official successor to [conduwuit](configuring-playbook-conduwuit.md), is now sponsored by the government of Switzerland 🇨🇭 (where it is currently deployed for citizens), and is used by a number of organisations with a vested interest in its continued development. See the project's [documentation](https://matrix-construct.github.io/tuwunel/) for further background."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:14
 msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:17
 msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse → Tuwunel). Proceed below only if you're OK with starting over, or you're dealing with a server on a new domain name which hasn't participated in the Matrix federation yet. The one exception is migrating from conduwuit; see [Migrating from conduwuit](#migrating-from-conduwuit)."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:18
 msgid "**Homeserver implementations other than Synapse may not be fully functional** with every part of this playbook. Make yourself familiar with the trade-offs before proceeding."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:20
 msgid "Adjusting the playbook configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:22
 msgid "To use Tuwunel, set the following on `inventory/host_vars/matrix.example.com/vars.yml`:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:36
 msgid "The first user account that registers becomes a server admin and is automatically invited to the admin room. See [Creating the first user account](#creating-the-first-user-account) below for the bootstrap procedure."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:38
 msgid "Wiring done for you"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:40
 msgid "When `matrix_homeserver_implementation: tuwunel` is set, the playbook automatically integrates Tuwunel with the rest of your stack:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:42
 msgid "**Federation.** Toggled by `matrix_homeserver_federation_enabled`. The federation virtual host (port 8448 in the default setup) is wired up via Traefik labels."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:43
 msgid "**Well-known.** `matrix_tuwunel_config_well_known_client` is set to your public homeserver URL whenever SSL is enabled. Matrix clients use this for delegated-domain server discovery; identity-provider entries below can also omit their `callback_url`, since Tuwunel derives `<well-known>/_matrix/client/unstable/login/sso/callback/<client_id>` automatically."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:44
 msgid "**Element Call / MatrixRTC.** When the [LiveKit JWT service](configuring-playbook-matrix-rtc.md) is enabled, Tuwunel publishes its public URL through `.well-known/matrix/client` per [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:45
 msgid "**Legacy calls (TURN).** When [Coturn](configuring-playbook-turn.md) is enabled, its URIs and shared secret (or username/password, depending on `coturn_authentication_method`) are wired automatically."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:47
 msgid "Extending the configuration"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:49
 msgid "Tuwunel exposes a large configuration surface. The role surfaces commonly used options as Ansible variables under `matrix_tuwunel_config_*`. See [`roles/custom/matrix-tuwunel/defaults/main.yml`](../roles/custom/matrix-tuwunel/defaults/main.yml) for the complete list, and [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) for the rendered configuration."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:51
 msgid "For options that aren't surfaced as a dedicated variable, [environment variables](https://matrix-construct.github.io/tuwunel/configuration.html#environment-variables) are the recommended override mechanism. They take priority over the rendered TOML, are scoped to the running container, and require no template patching:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:59
 msgid "Keys nested under a TOML section use `__` (double underscore) to descend, e.g. `TUWUNEL_WELL_KNOWN__SERVER`. User-named sections become path segments too: `TUWUNEL_STORAGE_PROVIDER__ARCHIVE__S3__URL` overrides the `url` field of the `archive` storage provider in the example below."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:61
 msgid "If you need wholesale control of the configuration file, copy [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) into your inventory and point `matrix_tuwunel_template_tuwunel_config` at your copy."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:63
 msgid "The container image published as `:latest` is built with `io_uring`, `jemalloc`, LDAP, blurhashing, URL preview, sentry telemetry, and zstd compression all enabled, so most opt-in features are simply a configuration toggle away."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:65
 msgid "Identity providers (OAuth2 / OIDC)"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:67
 msgid "Configure one or more `[[global.identity_provider]]` entries via a list. Each entry maps directly to Tuwunel's [identity-provider fields](https://matrix-construct.github.io/tuwunel/authentication/providers.html); only the fields you set are emitted. GitHub, GitLab, and Google have built-in `issuer_url` defaults so a `client_id` plus `client_secret` is enough; for any other `brand` (Apple, Facebook, Keycloak, MAS, Twitter, etc.) you must supply `issuer_url` explicitly:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:82
 msgid "Self-hosted providers must supply both `client_id` and `issuer_url`. Set `trusted: true` only on providers you operate yourself; trusting a public provider (GitHub, Google, etc.) is an account-takeover risk."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:84
 msgid "LDAP"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:86
 msgid "Tuwunel can authenticate `m.login.password` requests against an LDAP directory and, in search-then-bind mode, keep admin status in sync with directory membership. The shipped image already includes the `ldap` build feature."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:98
 msgid "`bind_password_file` is read **inside the container**. The role bind-mounts `/matrix/tuwunel/config` to `/etc/tuwunel` (read-only) and `/matrix/tuwunel/data` to `/var/lib/tuwunel`. To make the file available at the path above, drop it on the host at `/matrix/tuwunel/config/ldap.pw` (owned by `matrix:matrix`) before running the playbook; the role does not template secret files for you."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:100
 msgid "For direct-bind, anonymous-search, and admin-sync details, see [LDAP authentication](https://matrix-construct.github.io/tuwunel/authentication/ldap.html)."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:102
 msgid "JWT login"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:104
 msgid "Tuwunel can accept signed JSON Web Tokens both as a login flow and as a User-Interactive Authentication step:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:115
 msgid "The defaults match Synapse's `experimental_features.jwt_config` semantics, so a key + algorithm port should authenticate the same set of tokens. See [Enterprise JWT](https://matrix-construct.github.io/tuwunel/authentication/jwt.html) for the full reference, including the asymmetric (ECDSA / EdDSA) formats and the operator-controlled UIAA override flow."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:117
 msgid "Media storage providers"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:119
 msgid "Each entry becomes a `[global.storage_provider.<id>.<kind>]` block. `kind` is `local` or `s3`; the remaining keys map directly to the fields documented in [Storage providers](https://matrix-construct.github.io/tuwunel/media/storage.html):"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:136
 msgid "The S3 backend ships with native multipart upload, so no goofys/rclone sidecar is required. MinIO, Cloudflare R2, and DigitalOcean Spaces all work; set `endpoint` and `use_vhost_request: false` as appropriate."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:139
 msgid "Local provider paths must live under `/var/lib/tuwunel` (the container's data mount, persisted on the host at `/matrix/tuwunel/data`), or you must mount the target directory into the container yourself via `matrix_tuwunel_container_extra_arguments`. The container otherwise runs read-only."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:141
 msgid "RocksDB and cache tuning"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:143
 msgid "Tuwunel embeds RocksDB. The defaults (`rocksdb_compression_algo: zstd`) suit most deployments. For high-throughput servers you may want to enable direct I/O, raise parallelism, and configure a backup path:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:151
 msgid "`matrix_tuwunel_config_cache_capacity_modifier` is left empty by default, so Tuwunel picks a value (`1.0` since v1.7.0, with rebalanced per-cache sizes that already raise memory use). Set it to `2.0` only on small hosts with four or fewer cores; on larger machines the default is recommended."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:153
 msgid "If you run on ZFS, the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html#zfs) lists the dataset properties (`recordsize`, `primarycache`, `compression`, `atime`, `logbias`) and config flags (`rocksdb_direct_io`, `rocksdb_allow_fallocate`) you need to adjust to avoid severe write amplification."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:155
 msgid "To enable Sentry crash reporting, set `matrix_tuwunel_config_sentry_enabled: true`."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:157
 msgid "Federation gating"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:159
 msgid "Tuwunel accepts regular-expression patterns at every level of remote-server filtering:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:170
 msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:177
 msgid "When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:179
 msgid "Default room version"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:181
 msgid "The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) (\"Hydra\"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:183
 msgid "Creating the first user account"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:185
 msgid "Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:192
 msgid "Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:194
 msgid "Configuring bridges and appservices"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:196
 msgid "The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:217
 msgid "Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:219
 msgid "Migrating from conduwuit"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:221
 msgid "Tuwunel is a \"binary swap\" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:223
 msgid "Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:224
 msgid "Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`)."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:225
 msgid "Run `just run-tags tuwunel-migrate-from-conduwuit`."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:227
 msgid "The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:230
 msgid "Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel)."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:232
 msgid "Troubleshooting"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:234
 msgid "As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):"
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:240
 msgid "Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`."
 msgstr ""
 #: ../../../docs/configuring-playbook-tuwunel.md:242
 msgid "For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -100,8 +100,8 @@ msgstr ""
 msgid "UVS requires an access token as an admin user to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/configuring-playbook-user-verification-service.md:53
+#: ../../../docs/configuring-playbook-user-verification-service.md:54
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/configuring-playbook-user-verification-service.md:56
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -97,111 +97,111 @@ msgid "[Configuring continuwuity](configuring-playbook-continuwuity.md), if you'
 msgstr ""
 #: ../../../docs/configuring-playbook.md:56
-msgid "[Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation"
+msgid "[Configuring Tuwunel](configuring-playbook-tuwunel.md), if you've switched to the [Tuwunel](https://matrix-construct.github.io/tuwunel/) homeserver implementation"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:58
 msgid "[Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:60
 msgid "Server components:"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:59
+#: ../../../docs/configuring-playbook.md:61
 msgid "[Using an external PostgreSQL server](configuring-playbook-external-postgres.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:61
+#: ../../../docs/configuring-playbook.md:63
 msgid "[Configuring a TURN server](configuring-playbook-turn.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:63
+#: ../../../docs/configuring-playbook.md:65
 msgid "[Configuring the Traefik reverse-proxy](configuring-playbook-traefik.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:65
+#: ../../../docs/configuring-playbook.md:67
 msgid "[Using your own webserver, instead of this playbook's Traefik reverse-proxy](configuring-playbook-own-webserver.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:67
+#: ../../../docs/configuring-playbook.md:69
 msgid "[Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:69
+#: ../../../docs/configuring-playbook.md:71
 msgid "[Adjusting email-sending settings](configuring-playbook-email.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:71
+#: ../../../docs/configuring-playbook.md:73
 msgid "[Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:73
+#: ../../../docs/configuring-playbook.md:75
 msgid "Server connectivity:"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:74
+#: ../../../docs/configuring-playbook.md:76
 msgid "[Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:76
+#: ../../../docs/configuring-playbook.md:78
 msgid "[Controlling Matrix federation](configuring-playbook-federation.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:78
+#: ../../../docs/configuring-playbook.md:80
 msgid "[Configuring IPv6](./configuring-ipv6.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:80
+#: ../../../docs/configuring-playbook.md:82
 msgid "Clients"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:82
+#: ../../../docs/configuring-playbook.md:84
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""
-#: ../../../docs/configuring-playbook.md:84
+#: ../../../docs/configuring-playbook.md:86
 msgid "[Configuring Element Web](configuring-playbook-client-element-web.md), if you're going with the default/recommended client"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:86
+#: ../../../docs/configuring-playbook.md:88
 msgid "[Setting up Hydrogen](configuring-playbook-client-hydrogen.md), if you've enabled [Hydrogen](https://github.com/element-hq/hydrogen-web), a lightweight Matrix client with legacy and mobile browser support"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:88
+#: ../../../docs/configuring-playbook.md:90
 msgid "[Setting up Cinny](configuring-playbook-client-cinny.md), if you've enabled [Cinny](https://github.com/ajbura/cinny), a web client focusing primarily on simple, elegant and secure interface"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:90
+#: ../../../docs/configuring-playbook.md:92
 msgid "[Setting up Sable](configuring-playbook-client-sable.md), if you've enabled [Sable](https://github.com/7w1/sable), a web client focusing primarily on simple, elegant and secure interface"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:92
+#: ../../../docs/configuring-playbook.md:94
 msgid "[Setting up SchildiChat Web](configuring-playbook-client-schildichat-web.md), if you've enabled [SchildiChat Web](https://schildi.chat/), a web client based on [Element Web](https://element.io/) with some extras and tweaks"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:94
+#: ../../../docs/configuring-playbook.md:96
 msgid "[Setting up FluffyChat Web](configuring-playbook-client-fluffychat-web.md), if you've enabled [FluffyChat Web](https://github.com/krille-chan/fluffychat), a cute cross-platform messenger (web, iOS, Android) for Matrix written in [Flutter](https://flutter.dev/)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:97
+#: ../../../docs/configuring-playbook.md:99
 msgid "Authentication and user-related"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:99
+#: ../../../docs/configuring-playbook.md:101
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""
-#: ../../../docs/configuring-playbook.md:101
+#: ../../../docs/configuring-playbook.md:103
 msgid "[Setting up Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) (Next-generation auth for Matrix, based on OAuth 2.0/OIDC)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:103
+#: ../../../docs/configuring-playbook.md:105
 msgid "[Setting up Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:105
 msgid "[Setting up Ketesa](configuring-playbook-ketesa.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:107
-msgid "[Setting up matrix-registration](configuring-playbook-matrix-registration.md)"
+msgid "[Setting up Ketesa](configuring-playbook-ketesa.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:109
@@ -357,225 +357,233 @@ msgid "[Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook
 msgstr ""
 #: ../../../docs/configuring-playbook.md:185
-msgid "[Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)"
+msgid "[Setting up a Matrix <-> Meshtastic bridge](configuring-playbook-bridge-meshtastic-relay.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:187
-msgid "Bots"
+msgid "[Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:189
-msgid "Bots provide various additional functionality to your installation."
+msgid "Bots"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:191
-msgid "[Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))"
+msgid "Bots provide various additional functionality to your installation."
 msgstr ""
 #: ../../../docs/configuring-playbook.md:193
-msgid "[Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff"
+msgid "[Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:195
-msgid "[Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) — a bot to create and manage registration tokens to invite users"
+msgid "[Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:197
-msgid "[Setting up maubot](configuring-playbook-bot-maubot.md) — a plugin-based Matrix bot system"
+msgid "[Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) — a bot to create and manage registration tokens to invite users"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:199
-msgid "[Setting up Honoroit](configuring-playbook-bot-honoroit.md) — a helpdesk bot"
+msgid "[Setting up maubot](configuring-playbook-bot-maubot.md) — a plugin-based Matrix bot system"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:201
-msgid "[Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) — a moderation tool/bot"
+msgid "[Setting up Honoroit](configuring-playbook-bot-honoroit.md) — a helpdesk bot"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:203
-msgid "[Setting up Draupnir](configuring-playbook-bot-draupnir.md) — a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer"
+msgid "[Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) — a moderation tool/bot"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:205
-msgid "[Setting up Draupnir for all/D4A](configuring-playbook-appservice-draupnir-for-all.md) — like the [Draupnir bot](configuring-playbook-bot-draupnir.md) mentioned above, but running in appservice mode and supporting multiple instances"
+msgid "[Setting up Draupnir](configuring-playbook-bot-draupnir.md) — a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:207
-msgid "[Setting up Buscarron](configuring-playbook-bot-buscarron.md) — a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room"
+msgid "[Setting up Draupnir for all/D4A](configuring-playbook-appservice-draupnir-for-all.md) — like the [Draupnir bot](configuring-playbook-bot-draupnir.md) mentioned above, but running in appservice mode and supporting multiple instances"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:209
-msgid "Administration"
+msgid "[Setting up Buscarron](configuring-playbook-bot-buscarron.md) — a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:211
-msgid "Services that help you in administrating and monitoring your Matrix installation."
+msgid "Administration"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:213
-msgid "[Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md)"
+msgid "Services that help you in administrating and monitoring your Matrix installation."
 msgstr ""
 #: ../../../docs/configuring-playbook.md:215
-msgid "[Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](configuring-playbook-prometheus-grafana.md)"
+msgid "[Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:217
-msgid "[Setting up the rageshake bug report server](configuring-playbook-rageshake.md)"
+msgid "[Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](configuring-playbook-prometheus-grafana.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:219
-msgid "[Enabling synapse-usage-exporter for Synapse usage statistics](configuring-playbook-synapse-usage-exporter.md)"
+msgid "[Setting up the rageshake bug report server](configuring-playbook-rageshake.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:221
 msgid "[Enabling synapse-usage-exporter for Synapse usage statistics](configuring-playbook-synapse-usage-exporter.md)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:223
 msgid "Backups:"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:222
+#: ../../../docs/configuring-playbook.md:224
 msgid "[Setting up BorgBackup](configuring-playbook-backup-borg.md) — a full Matrix server backup solution, including the Postgres database"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:224
+#: ../../../docs/configuring-playbook.md:226
 msgid "[Setting up Postgres backup](configuring-playbook-postgres-backup.md) — a Postgres-database backup solution (note: does not include other files)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:226
+#: ../../../docs/configuring-playbook.md:228
 msgid "Other specialized services"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:228
+#: ../../../docs/configuring-playbook.md:230
 msgid "Various services that don't fit any other categories."
 msgstr ""
-#: ../../../docs/configuring-playbook.md:230
+#: ../../../docs/configuring-playbook.md:232
 msgid "[Setting up Element Call](configuring-playbook-element-call.md) — a native Matrix video conferencing application, built on top of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:232
+#: ../../../docs/configuring-playbook.md:234
 msgid "[Setting up LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:234
+#: ../../../docs/configuring-playbook.md:236
 msgid "[Setting up LiveKit Server](configuring-playbook-livekit-server.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:236
+#: ../../../docs/configuring-playbook.md:238
 msgid "[Setting up Matrix RTC](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:238
+#: ../../../docs/configuring-playbook.md:240
 msgid "[Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:240
+#: ../../../docs/configuring-playbook.md:242
 msgid "[Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:242
+#: ../../../docs/configuring-playbook.md:244
 msgid "[Setting up Matrix.to](configuring-playbook-matrixto.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:244
+#: ../../../docs/configuring-playbook.md:246
 msgid "[Setting up Etherpad](configuring-playbook-etherpad.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:246
+#: ../../../docs/configuring-playbook.md:248
 msgid "[Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:248
+#: ../../../docs/configuring-playbook.md:250
 msgid "[Setting up Cactus Comments](configuring-playbook-cactus-comments.md) — a federated comment system built on Matrix"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:250
+#: ../../../docs/configuring-playbook.md:252
 msgid "[Setting up Pantalaimon (E2EE aware proxy daemon)](configuring-playbook-pantalaimon.md) (advanced)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:252
+#: ../../../docs/configuring-playbook.md:254
 msgid "[Setting up the Sygnal push gateway](configuring-playbook-sygnal.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:254
+#: ../../../docs/configuring-playbook.md:256
 msgid "[Setting up the ntfy push notifications server](configuring-playbook-ntfy.md)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:256
+#: ../../../docs/configuring-playbook.md:258
 msgid "Deprecated / unmaintained / removed services"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:258
+#: ../../../docs/configuring-playbook.md:260
 msgid "**Note**: since a deprecated or unmaintained service will not be updated, its bug or vulnerability will be unlikely to get patched. It is recommended to migrate from the service to an alternative if any, and make sure to do your own research before you decide to keep it running nonetheless."
 msgstr ""
-#: ../../../docs/configuring-playbook.md:260
+#: ../../../docs/configuring-playbook.md:262
 msgid "[Configuring conduwuit](configuring-playbook-conduwuit.md) (removed; this component has been abandoned and unmaintained)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:262
+#: ../../../docs/configuring-playbook.md:264
 msgid "[Setting up the Sliding Sync proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like old Element X versions, before it got switched to Simplified Sliding Sync)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:264
+#: ../../../docs/configuring-playbook.md:266
 msgid "[Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (removed; this component has been discontinued)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:266
+#: ../../../docs/configuring-playbook.md:268
 msgid "[Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (deprecated; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:268
+#: ../../../docs/configuring-playbook.md:270
 msgid "[Setting up the Dimension integration manager](configuring-playbook-dimension.md) ([unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299); after [installing](installing.md))"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:270
+#: ../../../docs/configuring-playbook.md:272
 msgid "[Setting up Email2Matrix](configuring-playbook-email2matrix.md) (removed; the author suggests taking a look at [Postmoogle](https://github.com/etkecc/postmoogle) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-postmoogle.md))"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:272
+#: ../../../docs/configuring-playbook.md:274
 msgid "[Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (unmaintained; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:274
+#: ../../../docs/configuring-playbook.md:276
 msgid "[Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md) (removed; Skype has been discontinued since May 2025)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:276
+#: ../../../docs/configuring-playbook.md:278
 msgid "[Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook.)"
 msgstr ""
-#: ../../../docs/configuring-playbook.md:278
+#: ../../../docs/configuring-playbook.md:280
 msgid "[Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) (unmaintained; the bridge's author suggests taking a look at [baibot](https://github.com/etkecc/baibot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bot-baibot.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:280
 msgid "[Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:282
-msgid "[Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-instagram](configuring-playbook-bridge-mautrix-meta-instagram.md))"
+msgid "[Setting up matrix-registration](configuring-playbook-matrix-registration.md) (removed; this component has been unmaintained)"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:284
-msgid "[Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Discord bridging](configuring-playbook-bridge-mautrix-discord.md))"
+msgid "[Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:286
-msgid "[Setting up MX Puppet Instagram bridging](configuring-playbook-bridge-mx-puppet-instagram.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Instagram bridging via Mautrix Meta](configuring-playbook-bridge-mautrix-meta-instagram.md))"
+msgid "[Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-instagram](configuring-playbook-bridge-mautrix-meta-instagram.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:288
-msgid "[Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (removed; this component has been broken for a long time, so it has been removed from the playbook. Consider [setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md))"
+msgid "[Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Discord bridging](configuring-playbook-bridge-mautrix-discord.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:290
-msgid "[Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md))"
+msgid "[Setting up MX Puppet Instagram bridging](configuring-playbook-bridge-mx-puppet-instagram.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Instagram bridging via Mautrix Meta](configuring-playbook-bridge-mautrix-meta-instagram.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:292
-msgid "[Setting up MX Puppet Twitter bridging](configuring-playbook-bridge-mx-puppet-twitter.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md))"
+msgid "[Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (removed; this component has been broken for a long time, so it has been removed from the playbook. Consider [setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:294
 msgid "[Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:296
 msgid "[Setting up MX Puppet Twitter bridging](configuring-playbook-bridge-mx-puppet-twitter.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md))"
 msgstr ""
 #: ../../../docs/configuring-playbook.md:298
 msgid "[Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md) (removed; since Synapse [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.109.0) the same feature is available natively.)"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -92,6 +92,18 @@ msgstr ""
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit."
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[Tuwunel](configuring-playbook-tuwunel.md)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[matrix-construct/tuwunel](https://ghcr.io/matrix-construct/tuwunel)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit."
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[Dendrite](configuring-playbook-dendrite.md)"
 msgstr ""
@@ -104,11 +116,11 @@ msgstr ""
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse."
 msgstr ""
-#: ../../../docs/container-images.md:33
+#: ../../../docs/container-images.md:34
 msgid "Clients"
 msgstr ""
-#: ../../../docs/container-images.md:35
+#: ../../../docs/container-images.md:36
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""
@@ -168,11 +180,11 @@ msgstr ""
 msgid "Based on Element Web, with a more traditional instant messaging experience"
 msgstr ""
-#: ../../../docs/container-images.md:45
+#: ../../../docs/container-images.md:46
 msgid "Server Components"
 msgstr ""
-#: ../../../docs/container-images.md:47
+#: ../../../docs/container-images.md:48
 msgid "Services that run on the server to make the various parts of your installation work."
 msgstr ""
@@ -272,11 +284,11 @@ msgstr ""
 msgid "JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md)"
 msgstr ""
-#: ../../../docs/container-images.md:60
+#: ../../../docs/container-images.md:61
 msgid "Authentication"
 msgstr ""
-#: ../../../docs/container-images.md:62
+#: ../../../docs/container-images.md:63
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""
@@ -320,18 +332,6 @@ msgstr ""
 msgid "Proxy that handles Matrix registration requests and forwards them to LDAP"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[matrix-registration](configuring-playbook-matrix-registration.md)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "Simple python application to have a token based Matrix registration"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[Matrix User Verification Service](configuring-playbook-user-verification-service.md)"
 msgstr ""
@@ -1144,6 +1144,18 @@ msgstr ""
 msgid "Accessing ChatGPT via your favourite Matrix client"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[matrix-registration](configuring-playbook-matrix-registration.md)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/)"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "Simple python application to have a token based Matrix registration"
 msgstr ""
 #: ../../../docs/container-images.md:0
 msgid "[mautrix-facebook](configuring-playbook-bridge-mautrix-facebook.md)"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -57,7 +57,7 @@ msgid "**Note**: the changes below instruct you how to do this for a basic Synap
 msgstr ""
 #: ../../../docs/howto-srv-server-delegation.md:29
-msgid "if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))"
+msgid "if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md), [Tuwunel](./configuring-playbook-tuwunel.md) or [Dendrite](./configuring-playbook-dendrite.md))"
 msgstr ""
 #: ../../../docs/howto-srv-server-delegation.md:30
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -49,7 +49,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""
 #: ../../../docs/installing.md:30
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""
 #: ../../../docs/installing.md:32
@@ -112,8 +112,8 @@ msgstr ""
 msgid "To do the installation **without** starting services, run `ansible-playbook` with the `install-all` tag only:"
 msgstr ""
-#: ../../../docs/installing.md:70
+#: ../../../docs/installing.md:71
-msgid "[!WARNING] Do not run the just \"recipe\" `just install-all` instead, because it automatically starts services at the end of execution. See: [Difference between playbook tags and shortcuts](just.md#difference-between-playbook-tags-and-shortcuts)"
+msgid "Do not run the just \"recipe\" `just install-all` instead, because it automatically starts services at the end of execution. See: [Difference between playbook tags and shortcuts](just.md#difference-between-playbook-tags-and-shortcuts)"
 msgstr ""
 #: ../../../docs/installing.md:73
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -76,8 +76,8 @@ msgstr ""
 msgid "You can then proceed to write queries. Example: `SELECT COUNT(*) FROM users;`"
 msgstr ""
-#: ../../../docs/maintenance-postgres.md:38
+#: ../../../docs/maintenance-postgres.md:39
-msgid "[!WARNING] **Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption.** When in doubt, consider [making a backup](#backing-up-postgresql)."
+msgid "**Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption.** When in doubt, consider [making a backup](#backing-up-postgresql)."
 msgstr ""
 #: ../../../docs/maintenance-postgres.md:41
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -60,8 +60,8 @@ msgstr ""
 msgid "To make use of this Synapse Admin API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""
-#: ../../../docs/maintenance-synapse.md:30
+#: ../../../docs/maintenance-synapse.md:31
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/maintenance-synapse.md:33
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -73,7 +73,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:39
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:41
@@ -81,45 +81,69 @@ msgid "**Note**: for details about `just` commands, take a look at: [Running `ju
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:43
-msgid "Re-run the playbook setup"
+msgid "Acknowledge breaking changes if any"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:45
-msgid "After updating the Ansible roles, then re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:"
+msgid "The playbook uses a migration validation system that ensures you are aware of breaking changes before they'll affect your deployment. If there is one, you are required to acknowledge each breaking change."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:47
 msgid "Whenever a breaking change is introduced, the playbook will:"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:49
 msgid "bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:51
-msgid "If you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with the `setup-all` tag as below:"
+msgid "fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:53
 msgid "After reviewing and adapting your setup, update the variable to the new version."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:55
 msgid "Re-run the playbook setup"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:57
-msgid "**Notes**:"
+msgid "After updating the Ansible roles and the variable for the validation system when necessary, re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:59
 msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account, if any."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:61
 msgid "Our estimation is that running `--tags=install-all,start` is approximately from **2 to 5 times faster** than running `setup-all,ensure-matrix-users-created,start`. See [this entry](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) on `CHANGELOG.md` for more information."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:63
-msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`. Note these shortcuts run the `ensure-matrix-users-created` tag too."
+msgid "If you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with the `setup-all` tag as below:"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:65
 msgid "See [this page on the playbook tags](playbook-tags.md) for more information about those tags."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:67
 msgid "PostgreSQL major version upgrade"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:69
-msgid "Major version upgrades to the internal PostgreSQL database are not done automatically. Upgrades must be performed manually."
+msgid "**Notes**:"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:71
 msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account, if any."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:73
 msgid "Our estimation is that running `--tags=install-all,start` is approximately from **2 to 5 times faster** than running `setup-all,ensure-matrix-users-created,start`. See [this entry](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) on `CHANGELOG.md` for more information."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:75
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:77
 msgid "See [this page on the playbook tags](playbook-tags.md) for more information about those tags."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:79
 msgid "PostgreSQL major version upgrade"
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:81
 msgid "Major version upgrades to the internal PostgreSQL database are not done automatically. Upgrades must be performed manually."
 msgstr ""
 #: ../../../docs/maintenance-upgrading-services.md:83
 msgid "For details about upgrading it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -24,8 +24,8 @@ msgstr ""
 msgid "When setting up some optional features like bots and bridges you will need to provide an access token for some user. This document provides documentation on how to obtain such an access token."
 msgstr ""
-#: ../../../docs/obtaining-access-tokens.md:14
+#: ../../../docs/obtaining-access-tokens.md:15
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgid "Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
 msgstr ""
 #: ../../../docs/obtaining-access-tokens.md:17
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -289,7 +289,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""
 #: ../../../docs/quick-start.md:122
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""
 #: ../../../docs/quick-start.md:124
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -57,7 +57,7 @@ msgid "Registering users manually"
 msgstr ""
 #: ../../../docs/registering-users.md:25
-#: ../../../docs/registering-users.md:127
+#: ../../../docs/registering-users.md:123
 msgid "**Notes**:"
 msgstr ""
@@ -97,8 +97,8 @@ msgstr ""
 msgid "Feel free to register as many users (for friends, family, etc.) as you want. Still, perhaps you should grant full administrative access to your user account only (with `admin=yes`), and others should be created with `admin=no`."
 msgstr ""
-#: ../../../docs/registering-users.md:54
+#: ../../../docs/registering-users.md:55
-msgid "[!WARNING] If you're registering users against Matrix Authentication Service, do note that it [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information."
+msgid "If you're registering users against Matrix Authentication Service, do note that it [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information."
 msgstr ""
 #: ../../../docs/registering-users.md:57
@@ -129,8 +129,8 @@ msgstr ""
 msgid "This `register-user` script actually invokes the `mas-cli manage register-user` command under the hood. If you'd like more control over the registration process, consider invoking the `mas-cli` command directly:"
 msgstr ""
-#: ../../../docs/registering-users.md:93
+#: ../../../docs/registering-users.md:94
-msgid "[!WARNING] Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information."
+msgid "Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information."
 msgstr ""
 #: ../../../docs/registering-users.md:96
@@ -142,97 +142,89 @@ msgid "To manage users and your homeserver more easily (via a web interface), yo
 msgstr ""
 #: ../../../docs/registering-users.md:100
 msgid "Letting certain users register on your private server"
 msgstr ""
 #: ../../../docs/registering-users.md:102
 msgid "If you'd rather **keep your server private** (public registration closed, as is the default), and **let certain people create accounts by themselves** (instead of creating user accounts manually like this), consider installing and making use of [matrix-registration](configuring-playbook-matrix-registration.md)."
 msgstr ""
 #: ../../../docs/registering-users.md:104
 msgid "Enabling public user registration"
 msgstr ""
-#: ../../../docs/registering-users.md:106
+#: ../../../docs/registering-users.md:102
 msgid "To **open up user registration publicly** (usually **not recommended**), add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""
-#: ../../../docs/registering-users.md:108
+#: ../../../docs/registering-users.md:104
 msgid "For Synapse:"
 msgstr ""
-#: ../../../docs/registering-users.md:114
+#: ../../../docs/registering-users.md:110
 msgid "For Dendrite:"
 msgstr ""
-#: ../../../docs/registering-users.md:120
+#: ../../../docs/registering-users.md:116
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""
-#: ../../../docs/registering-users.md:129
+#: ../../../docs/registering-users.md:125
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""
-#: ../../../docs/registering-users.md:131
+#: ../../../docs/registering-users.md:127
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""
-#: ../../../docs/registering-users.md:133
+#: ../../../docs/registering-users.md:129
 msgid "If you're opening up registrations publicly like this, you might also wish to [configure CAPTCHA protection](configuring-captcha.md)."
 msgstr ""
-#: ../../../docs/registering-users.md:135
+#: ../../../docs/registering-users.md:131
 msgid "Adding/Removing Administrator privileges to an existing user"
 msgstr ""
-#: ../../../docs/registering-users.md:137
+#: ../../../docs/registering-users.md:133
 msgid "Adding/Removing Administrator privileges to an existing user in Synapse"
 msgstr ""
-#: ../../../docs/registering-users.md:139
+#: ../../../docs/registering-users.md:135
 msgid "To change the admin privileges for a user in Synapse's local database, you need to run an SQL query like this against the `synapse` database:"
 msgstr ""
-#: ../../../docs/registering-users.md:145
+#: ../../../docs/registering-users.md:141
 msgid "where:"
 msgstr ""
-#: ../../../docs/registering-users.md:147
+#: ../../../docs/registering-users.md:143
 msgid "`ADMIN_VALUE` being either `0` (regular user) or `1` (admin)"
 msgstr ""
-#: ../../../docs/registering-users.md:148
+#: ../../../docs/registering-users.md:144
 msgid "`USER` and `example.com` pointing to a valid user on your server"
 msgstr ""
-#: ../../../docs/registering-users.md:150
+#: ../../../docs/registering-users.md:146
 msgid "If you're using the integrated Postgres server and not an [external Postgres server](configuring-playbook-external-postgres.md), you can launch a Postgres into the `synapse` database by:"
 msgstr ""
-#: ../../../docs/registering-users.md:152
+#: ../../../docs/registering-users.md:148
 msgid "running `/matrix/postgres/bin/cli` — to launch [`psql`](https://www.postgresql.org/docs/current/app-psql.html)"
 msgstr ""
-#: ../../../docs/registering-users.md:153
+#: ../../../docs/registering-users.md:149
 msgid "running `\\c synapse` — to change to the `synapse` database"
 msgstr ""
-#: ../../../docs/registering-users.md:155
+#: ../../../docs/registering-users.md:151
 msgid "You can then proceed to run the query above."
 msgstr ""
-#: ../../../docs/registering-users.md:157
+#: ../../../docs/registering-users.md:153
 msgid "**Note**: directly modifying the raw data of Synapse (or any other software) could cause the software to break. You've been warned!"
 msgstr ""
-#: ../../../docs/registering-users.md:159
+#: ../../../docs/registering-users.md:155
 msgid "Adding/Removing Administrator privileges to an existing user in Matrix Authentication Service"
 msgstr ""
-#: ../../../docs/registering-users.md:161
+#: ../../../docs/registering-users.md:157
 msgid "Promoting/demoting a user in Matrix Authentication Service can be done using the [`mas-cli`](./configuring-playbook-matrix-authentication-service.md#management) management tool's [`manage promote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-promote-admin) and [`manage demote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-demote-admin) commands. For example: `/matrix/matrix-authentication-service/bin/mas-cli manage promote-admin some.username`."
 msgstr ""
-#: ../../../docs/registering-users.md:163
+#: ../../../docs/registering-users.md:159
 msgid "You can also do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 12:09+0100\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -69,81 +69,77 @@ msgid "`sable`"
 msgstr ""
 #: ../../../docs/self-building.md:34
 msgid "`matrix-registration`"
 msgstr ""
 #: ../../../docs/self-building.md:35
 msgid "`coturn`"
 msgstr ""
-#: ../../../docs/self-building.md:36
+#: ../../../docs/self-building.md:35
 msgid "`matrix-corporal`"
 msgstr ""
-#: ../../../docs/self-building.md:37
+#: ../../../docs/self-building.md:36
 msgid "`exim-relay`"
 msgstr ""
-#: ../../../docs/self-building.md:38
+#: ../../../docs/self-building.md:37
 msgid "`matrix-bridge-hookshot`"
 msgstr ""
-#: ../../../docs/self-building.md:39
+#: ../../../docs/self-building.md:38
 msgid "`matrix-bridge-appservice-irc`"
 msgstr ""
-#: ../../../docs/self-building.md:40
+#: ../../../docs/self-building.md:39
 msgid "`matrix-bridge-beeper-linkedin`"
 msgstr ""
-#: ../../../docs/self-building.md:41
+#: ../../../docs/self-building.md:40
 msgid "`matrix-bridge-mautrix-googlechat`"
 msgstr ""
-#: ../../../docs/self-building.md:42
+#: ../../../docs/self-building.md:41
 msgid "`matrix-bridge-mautrix-telegram`"
 msgstr ""
-#: ../../../docs/self-building.md:43
+#: ../../../docs/self-building.md:42
 msgid "`matrix-bridge-mautrix-signal`"
 msgstr ""
-#: ../../../docs/self-building.md:44
+#: ../../../docs/self-building.md:43
 msgid "`matrix-bridge-mautrix-gmessages`"
 msgstr ""
-#: ../../../docs/self-building.md:45
+#: ../../../docs/self-building.md:44
 msgid "`matrix-bridge-mautrix-whatsapp`"
 msgstr ""
-#: ../../../docs/self-building.md:46
+#: ../../../docs/self-building.md:45
 msgid "`matrix-bridge-mx-puppet-steam`"
 msgstr ""
-#: ../../../docs/self-building.md:47
+#: ../../../docs/self-building.md:46
 msgid "`matrix-bot-mjolnir`"
 msgstr ""
-#: ../../../docs/self-building.md:48
+#: ../../../docs/self-building.md:47
 msgid "`matrix-bot-honoroit`"
 msgstr ""
-#: ../../../docs/self-building.md:49
+#: ../../../docs/self-building.md:48
 msgid "`matrix-bot-matrix-reminder-bot`"
 msgstr ""
-#: ../../../docs/self-building.md:50
+#: ../../../docs/self-building.md:49
 msgid "`matrix-bot-maubot`"
 msgstr ""
-#: ../../../docs/self-building.md:51
+#: ../../../docs/self-building.md:50
 msgid "`matrix-pantalaimon`"
 msgstr ""
-#: ../../../docs/self-building.md:53
+#: ../../../docs/self-building.md:52
 msgid "Adding self-building support to other roles is welcome. Feel free to contribute!"
 msgstr ""
-#: ../../../docs/self-building.md:55
+#: ../../../docs/self-building.md:54
 msgid "If you'd like **to force self-building** even if an image is available for your architecture, look into the `matrix_*_self_build` variables provided by individual roles."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-19 07:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -20,10 +20,6 @@ msgstr ""
 msgid "Uninstalling"
 msgstr ""
 #: ../../../docs/uninstalling.md:11
 msgid "[!WARNING]"
 msgstr ""
 #: ../../../docs/uninstalling.md:12
 msgid "If your server federates with others, make sure to **leave any federated rooms before nuking your Matrix server's data**. Otherwise, the next time you set up a Matrix server for this domain (regardless of the installation method you use), you'll encounter trouble federating."
 msgstr ""
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 [tools]
-prek = "0.3.2"
+prek = "0.4.1"
 [settings]
 yes = true
@@ -1,23 +1,23 @@
 ---
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
-  version: v1.0.0-6
+  version: v1.0.0-7
  name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.4-2.1.4-0
+  version: v1.4.4-2.1.4-1
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.11.1-1
+  version: v4.12.1-0
  name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-4
+  version: v0.4.2-5
  name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
-  version: v4.9.0-1
+  version: v4.9.0-2
  name: coturn
  activation_prefix: coturn_
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
-  version: v4.0.0-2
+  version: v4.0.0-3
  name: ddclient
  activation_prefix: ddclient_
 - src: git+https://github.com/geerlingguy/ansible-role-docker
@@ -27,25 +27,25 @@
  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
  name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.1-6
+  version: v2.7.2-1
  name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.99.1-r0-2-0
+  version: v4.99.1-r0-2-1
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-9
+  version: v11.6.5-10
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
-  version: v0.5.1-3
+  version: v0.5.1-5
  name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10888-0
+  version: v10978-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.10.1-0
+  version: v1.12.0-0
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.21.0-1
+  version: v2.22.0-1
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -57,25 +57,25 @@
  version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.3-4
+  version: v18.4-0
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v18-2
+  version: v18-3
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.11.1-0
+  version: v3.11.3-1
  name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-nginxlog-exporter.git
-  version: v1.10.0-2
+  version: v1.10.0-3
  name: prometheus_nginxlog_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.10.2-0
+  version: v1.10.2-1
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.19.1-3
+  version: v0.19.1-4
  name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.13.1-0
+  version: v1.16.1-0
  name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.5.0-0
@@ -87,11 +87,11 @@
  version: v1.1.0-1
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.13-0
+  version: v3.7.1-0
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-5
+  version: v2.10.0-7
  name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-3
+  version: v9.1.0-0
  name: valkey
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.4.15
+matrix_alertmanager_receiver_version: 2026.5.20
 matrix_alertmanager_receiver_scheme: https
@@ -32,7 +32,6 @@ matrix_alertmanager_receiver_container_src_path: "{{ matrix_alertmanager_receive
 matrix_alertmanager_receiver_container_image: "{{ matrix_alertmanager_receiver_container_image_registry_prefix }}metio/matrix-alertmanager-receiver:{{ matrix_alertmanager_receiver_container_image_tag }}"
 matrix_alertmanager_receiver_container_image_tag: "{{ matrix_alertmanager_receiver_version }}"
 matrix_alertmanager_receiver_container_image_force_pull: "{{ matrix_alertmanager_receiver_container_image.endswith(':main') }}"
 matrix_alertmanager_receiver_container_image_registry_prefix: "{{ matrix_alertmanager_receiver_container_image_registry_prefix_upstream }}"
 matrix_alertmanager_receiver_container_image_registry_prefix_upstream: "{{ matrix_alertmanager_receiver_container_image_registry_prefix_upstream_default }}"
 matrix_alertmanager_receiver_container_image_registry_prefix_upstream_default: "docker.io/"
@@ -42,11 +42,9 @@
  register: matrix_alertmanager_receiver_support_files_result
 - name: Ensure matrix-alertmanager-receiver container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_alertmanager_receiver_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_alertmanager_receiver_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_alertmanager_receiver_container_image_force_pull }}"
  when: "not matrix_alertmanager_receiver_container_image_self_build | bool"
  register: matrix_alertmanager_receiver_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -24,6 +24,7 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_alertmanager_receiver_container_image_name_prefix', 'new': 'matrix_alertmanager_receiver_container_image_registry_prefix'}
    - {'old': 'matrix_alertmanager_receiver_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_auto', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_custom', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 # renovate: datasource=docker depName=depName=ghcr.io/the-draupnir-project/draupnir
-matrix_appservice_draupnir_for_all_version: "v3.0.0"
+matrix_appservice_draupnir_for_all_version: "v3.1.0"
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -22,7 +22,6 @@ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
 matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "the-draupnir-project/draupnir"
 matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"
 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"
 matrix_appservice_draupnir_for_all_config_path: "{{ matrix_appservice_draupnir_for_all_base_path }}/config"
@@ -47,14 +46,46 @@ matrix_appservice_draupnir_for_all_systemd_required_services_list_custom: []
 # List of systemd services that matrix-bot-draupnir.service wants
 matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 # Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
 matrix_appservice_draupnir_for_all_rolling_tag: "{{ not (matrix_appservice_draupnir_for_all_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
 # Force restart the service on all runs only when both roles are enabled, both roles
 # are using the same version string, and that version is a classified as a moving tag.
 matrix_appservice_draupnir_for_all_force_restart: "{{
  matrix_bot_draupnir_enabled | bool and
  matrix_appservice_draupnir_for_all_enabled | bool and
  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
  matrix_appservice_draupnir_for_all_rolling_tag | bool
 }}"
 # This controls whether Zero Touch Deployment is enabled.
 # When enabled, the playbook validates the related settings and only renders
 # the configuration values Draupnir expects for this mode.
 # This prevents invalid manual combinations from being passed through, since
 # Draupnir requires `matrix_appservice_draupnir_for_all_config_adminRoom` to be
 # unset and `matrix_appservice_draupnir_for_all_config_initialManager` to be a
 # valid user ID.
 # Zero Touch Deployment is recommended for all new deployments.
 # Deployments that are exempt from this recommendation are assumed to be
 # advanced setups with specific needs that require the flexibility of
 # non-zero-touch-deployment mode.
 # Note that enabling this on an existing deployment will cause the bot to recreate the admin room.
 # Manual policy migration has to be done in that case so as not to break when access controls return to working order.
 matrix_appservice_draupnir_for_all_zero_touch_deploy: false
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
-# Note: Draupnir is fairly verbose - expect a lot of messages from it.
+# Appservice mode, unlike bot mode, is not verbose in the admin room.
 # This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming
 # This controls the MXID of who is invited to the admin room on its creation when using Zero Touch Deployment.
 # This value is mutually exclusive with matrix_appservice_draupnir_for_all_config_adminRoom
 # and the bot will crash if you attempt to set both at the same time.
 matrix_appservice_draupnir_for_all_config_initialManager: ""  # noqa var-naming
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -26,11 +26,9 @@
  when: "item.when | bool"
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_appservice_draupnir_for_all_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_draupnir_for_all_container_image_force_pull }}"
  when: "not matrix_appservice_draupnir_for_all_container_image_self_build | bool"
  register: matrix_appservice_draupnir_for_all_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -49,15 +47,18 @@
  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
  community.docker.docker_image_build:
    name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: build
+    dockerfile: Dockerfile
-    force_source: "{{ matrix_appservice_draupnir_for_all_git_pull_results.changed }}"
+    path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
-    build:
+    pull: true
-      dockerfile: Dockerfile
+    rebuild: "{{ 'always' if matrix_appservice_draupnir_for_all_git_pull_results.changed | bool else 'never' }}"
      path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
      pull: true
  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
  register: matrix_appservice_draupnir_for_all_container_image_build_result
 - name: Ensure matrix-appservice-draupnir-for-all appservice config installed
  ansible.builtin.copy:
@@ -100,6 +101,16 @@
    mode: '0644'
  register: matrix_appservice_draupnir_for_all_systemd_service_result
 # matrix-appservice-draupnir-for-all and matrix-bot-draupnir share the
 # same upstream container image. When both are enabled and force-pull is
 # on, the second role to run sees the image as already up-to-date (the
 # first role just pulled it), so its pull_result.changed is false and
 # conditional restart would skip it. To avoid that, we also treat
 # force-pull itself as a restart trigger for this role. The downside is
 # that both Draupnir services restart on every run when force-pull is
 # enabled (e.g. with rolling tags like `latest` or `main`), even when the
 # upstream image has not moved. That is wasteful but acceptable.
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir for All needs a restart
  ansible.builtin.set_fact:
    matrix_appservice_draupnir_for_all_restart_necessary: >-
@@ -110,6 +121,8 @@
        or matrix_appservice_draupnir_for_all_registration_config_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_systemd_service_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_container_image_pull_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_container_image_build_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_force_restart | bool
      }}
 - name: Ensure matrix-appservice-draupnir-for-all.service restarted, if necessary
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
@@ -23,11 +23,21 @@
    - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream_default', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
    - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}
- name: Fail if required matrix-bot-draupnir variables are undefined
+- name: Fail if required matrix-appservice-draupnir-for-all variables are undefined
  ansible.builtin.fail:
-    msg: "The `{{ item }}` variable must be defined and have a non-null value."
+    msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
  with_items:
-    - "matrix_appservice_draupnir_for_all_config_adminRoom"
+    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
-    - "matrix_bot_draupnir_container_network"
+    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
-  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
+    - {'name': 'matrix_appservice_draupnir_for_all_container_network', when: true}
  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 - name: Fail if inappropriate variables are defined
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
  with_items:
    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
@@ -17,9 +17,16 @@ db:
  engine: "postgres"
  connectionString: "{{ matrix_appservice_draupnir_for_all_database_connection_string }}"
 {% if not matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
 adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}
 {% endif %}
 {% if matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # The initial manager to invite if the admin room has to be created.
 initialManager: {{ matrix_appservice_draupnir_for_all_config_initialManager | to_json }}
 {% endif %}
 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
@@ -37,6 +44,5 @@ maxDraupnirsPerUser: 1
 # Defaults to false when omitted.
 allowSelfServiceProvisioning: false
 roomStateBackingStore:
  enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}
@@ -22,12 +22,11 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.15.0
+matrix_authentication_service_version: 1.17.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_registry_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
 matrix_authentication_service_container_image_force_pull: "{{ matrix_authentication_service_container_image.endswith(':latest') }}"
 matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
 matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
@@ -84,11 +84,9 @@
  register: matrix_authentication_service_support_files_result
 - name: Ensure Matrix Authentication Service container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_authentication_service_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_authentication_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_container_image_force_pull }}"
  when: "not matrix_authentication_service_container_image_self_build | bool"
  register: matrix_authentication_service_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -53,3 +53,4 @@
    - {'old': 'matrix_authentication_service_syn2mas_container_image_self_build', 'new': '<removed>'}
    - {'old': 'matrix_authentication_service_syn2mas_process_extra_arguments', 'new': 'matrix_authentication_service_syn2mas_command_extra_options or matrix_authentication_service_syn2mas_subcommand_extra_options'}
    - {'old': 'matrix_authentication_service_syn2mas_dry_run', 'new': 'matrix_authentication_service_syn2mas_migrate_dry_run'}
    - {'old': 'matrix_authentication_service_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
@@ -84,7 +84,7 @@ matrix_monitoring_container_network: matrix-monitoring
 matrix_homeserver_enabled: true
 # This will contain the homeserver implementation that is in use.
-# Valid values: synapse, dendrite, conduit, continuwuity
+# Valid values: synapse, dendrite, conduit, continuwuity, tuwunel
 #
 # By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
 #
@@ -13,7 +13,7 @@
 - name: Fail if invalid homeserver implementation
  ansible.builtin.fail:
    msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
-  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity']"
+  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity', 'tuwunel']"
 - name: (Deprecation) Catch and report renamed settings
  ansible.builtin.fail:
@@ -17,12 +17,11 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.18.0
+matrix_bot_baibot_version: v1.19.2
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_bot_baibot_container_image_force_pull: "{{ matrix_bot_baibot_container_image.endswith(':latest') }}"
 matrix_bot_baibot_base_path: "{{ matrix_base_data_path }}/baibot"
 matrix_bot_baibot_config_path: "{{ matrix_bot_baibot_base_path }}/config"
@@ -38,11 +38,9 @@
  register: matrix_bot_baibot_env_result
 - name: Ensure baibot container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_baibot_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_bot_baibot_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_baibot_container_image_force_pull }}"
  when: "not matrix_bot_baibot_container_image_self_build | bool"
  register: matrix_bot_baibot_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -62,15 +60,13 @@
      register: matrix_bot_baibot_git_pull_results
    - name: Ensure baibot container image is built
-      community.docker.docker_image:
+      community.docker.docker_image_build:
        name: "{{ matrix_bot_baibot_container_image }}"
-        source: build
+        dockerfile: Dockerfile
-        force_source: "{{ matrix_bot_baibot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        path: "{{ matrix_bot_baibot_container_src_files_path }}"
-        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_baibot_git_pull_results.changed }}"
+        pull: true
-        build:
+        rebuild: "{{ 'always' if matrix_bot_baibot_git_pull_results.changed | bool else 'never' }}"
-          dockerfile: Dockerfile
+      register: matrix_bot_baibot_container_image_build_result
          path: "{{ matrix_bot_baibot_container_src_files_path }}"
          pull: true
 - name: Ensure baibot container network is created
  community.general.docker_network:
@@ -94,4 +90,5 @@
        or matrix_bot_baibot_env_result.changed | default(false)
        or matrix_bot_baibot_systemd_service_result.changed | default(false)
        or matrix_bot_baibot_container_image_pull_result.changed | default(false)
        or matrix_bot_baibot_container_image_build_result.changed | default(false)
      }}
@@ -91,3 +91,4 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_bot_baibot_container_image_name_prefix', 'new': 'matrix_bot_baibot_container_image_registry_prefix'}
    - {'old': 'matrix_bot_baibot_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
@@ -40,7 +40,6 @@ matrix_bot_buscarron_container_image: "{{ matrix_bot_buscarron_container_image_r
 matrix_bot_buscarron_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else matrix_bot_buscarron_container_image_registry_prefix_upstream }}"
 matrix_bot_buscarron_container_image_registry_prefix_upstream: "{{ matrix_bot_buscarron_container_image_registry_prefix_upstream_default }}"
 matrix_bot_buscarron_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_bot_buscarron_container_image_force_pull: "{{ matrix_bot_buscarron_container_image.endswith(':latest') }}"
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_bot_buscarron_container_network: matrix-bot-buscarron
@@ -137,19 +136,15 @@ matrix_bot_buscarron_database_sslmode: disable
 matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode={{ matrix_bot_buscarron_database_sslmode }}'
-matrix_bot_buscarron_storage_database: "{{
+matrix_bot_buscarron_storage_database: "{{ {
-	{
+    'sqlite': matrix_bot_buscarron_sqlite_database_path_in_container,
-		'sqlite': matrix_bot_buscarron_sqlite_database_path_in_container,
+    'postgres': matrix_bot_buscarron_database_connection_string,
-		'postgres': matrix_bot_buscarron_database_connection_string,
+}[matrix_bot_buscarron_database_engine] }}"
 	}[matrix_bot_buscarron_database_engine]
 }}"
-matrix_bot_buscarron_database_dialect: "{{
+matrix_bot_buscarron_database_dialect: "{{ {
  {
    'sqlite': 'sqlite3',
    'postgres': 'postgres',
-  }[matrix_bot_buscarron_database_engine]
+}[matrix_bot_buscarron_database_engine] }}"
 }}"
 # The bot's username. This user needs to be created manually beforehand.
@@ -61,11 +61,9 @@
  register: matrix_bot_buscarron_support_files_result
 - name: Ensure Buscarron image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_buscarron_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_bot_buscarron_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_buscarron_container_image_force_pull }}"
  when: "not matrix_bot_buscarron_container_image_self_build | bool"
  register: matrix_bot_buscarron_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -84,16 +82,14 @@
  when: "matrix_bot_buscarron_container_image_self_build | bool"
 - name: Ensure Buscarron image is built
-  community.docker.docker_image:
+  community.docker.docker_image_build:
    name: "{{ matrix_bot_buscarron_container_image }}"
-    source: build
+    dockerfile: Dockerfile
-    force_source: "{{ matrix_bot_buscarron_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    path: "{{ matrix_bot_buscarron_container_src_files_path }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_buscarron_git_pull_results.changed }}"
+    pull: true
-    build:
+    rebuild: "{{ 'always' if matrix_bot_buscarron_git_pull_results.changed | bool else 'never' }}"
      dockerfile: Dockerfile
      path: "{{ matrix_bot_buscarron_container_src_files_path }}"
      pull: true
  when: "matrix_bot_buscarron_container_image_self_build | bool"
  register: matrix_bot_buscarron_container_image_build_result
 - name: Ensure matrix-bot-buscarron.service installed
  ansible.builtin.template:
@@ -110,6 +106,7 @@
        or matrix_bot_buscarron_support_files_result.changed | default(false)
        or matrix_bot_buscarron_systemd_service_result.changed | default(false)
        or matrix_bot_buscarron_container_image_pull_result.changed | default(false)
        or matrix_bot_buscarron_container_image_build_result.changed | default(false)
      }}
 - name: Ensure Buscarron container network is created
@@ -19,6 +19,7 @@
    - {'old': 'matrix_bot_buscarron_container_image_name_prefix', 'new': 'matrix_bot_buscarron_container_image_registry_prefix'}
    - {'old': 'matrix_bot_buscarron_docker_image', 'new': 'matrix_bot_buscarron_container_image'}
    - {'old': 'matrix_bot_buscarron_docker_image_force_pull', 'new': 'matrix_bot_buscarron_container_image_force_pull'}
    - {'old': 'matrix_bot_buscarron_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix', 'new': 'matrix_bot_buscarron_container_image_registry_prefix'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_buscarron_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_buscarron_container_image_registry_prefix_upstream_default'}
@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 # renovate: datasource=docker depName=depName=ghcr.io/the-draupnir-project/draupnir
-matrix_bot_draupnir_version: "v3.0.0"
+matrix_bot_draupnir_version: "v3.1.0"
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -22,13 +22,24 @@ matrix_bot_draupnir_container_image_registry_namespace_identifier: "the-draupnir
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_bot_draupnir_container_image_force_pull: "{{ matrix_bot_draupnir_container_image.endswith(':latest') }}"
 matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
 matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_container_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
 # Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
 matrix_bot_draupnir_rolling_tag: "{{ not (matrix_bot_draupnir_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
 # Force restart the service on all runs only when both roles are enabled, both roles
 # are using the same version string, and that version is a classified as a moving tag.
 matrix_bot_draupnir_force_restart: "{{
  matrix_bot_draupnir_enabled | bool and
  matrix_appservice_draupnir_for_all_enabled | bool and
  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
  matrix_bot_draupnir_rolling_tag | bool
 }}"
 matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting or matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"  # noqa var-naming
 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
@@ -104,12 +115,36 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: false
-# The room ID where people can use the bot. The bot has no access controls, so
+# This controls whether Zero Touch Deployment is enabled.
-# anyone in this room can use the bot - secure your room!
+# When enabled, the playbook validates the settings and only
 # renders the configuration values Draupnir expects.
 # This prevents invalid manual combinations from being passed through, since
 # Draupnir requires `matrix_bot_draupnir_config_managementRoom` to be unset and
 # `matrix_bot_draupnir_config_initialManager` to be a valid MXID.
 # Zero Touch Deployment is recommended for all new deployments.
 # Deployments that are exempt from this recommendation are assumed to be
 # advanced setups with specific needs for non-zero-touch mode.
 # Note that enabling this on an existing deployment will cause the bot to
 # recreate the management room.
 # Recreating the management room will cause all protections to reset their settings to defaults
 # and cause the recreation of secondary rooms like notification rooms. All bot memory will also be wiped.
 matrix_bot_draupnir_zero_touch_deploy: false
 # The management room used for administration when Zero Touch
 # Deployment is disabled.
 # The bot has no access controls, so anyone in this room can use it - secure
 # your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming
 # The MXID invited as the initial manager when Zero Touch Deployment creates the
 # management room.
 # This value is mutually exclusive with
 # `matrix_bot_draupnir_config_managementRoom`, and the bot will crash if you
 # attempt to set both at the same time.
 matrix_bot_draupnir_config_initialManager: ""  # noqa var-naming
 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
 matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming
@@ -38,11 +38,9 @@
  register: matrix_bot_draupnir_support_files_result
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_draupnir_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    pull: always
    force_source: "{{ matrix_bot_draupnir_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_container_image_force_pull }}"
  when: "not matrix_bot_draupnir_container_image_self_build | bool"
  register: matrix_bot_draupnir_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -61,15 +59,18 @@
  when: "matrix_bot_draupnir_container_image_self_build | bool"
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
  community.docker.docker_image_build:
    name: "{{ matrix_bot_draupnir_container_image }}"
-    source: build
+    dockerfile: Dockerfile
-    force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
+    path: "{{ matrix_bot_draupnir_container_src_files_path }}"
-    build:
+    pull: true
-      dockerfile: Dockerfile
+    rebuild: "{{ 'always' if matrix_bot_draupnir_git_pull_results.changed | bool else 'never' }}"
      path: "{{ matrix_bot_draupnir_container_src_files_path }}"
      pull: true
  when: "matrix_bot_draupnir_container_image_self_build | bool"
  register: matrix_bot_draupnir_container_image_build_result
 - name: Ensure matrix-bot-draupnir config installed
  ansible.builtin.copy:
@@ -94,6 +95,16 @@
    mode: '0644'
  register: matrix_bot_draupnir_systemd_service_result
 # matrix-bot-draupnir and matrix-appservice-draupnir-for-all share the
 # same upstream container image. When both are enabled and force-pull is
 # on, the second role to run sees the image as already up-to-date (the
 # first role just pulled it), so its pull_result.changed is false and
 # conditional restart would skip it. To avoid that, we also treat
 # force-pull itself as a restart trigger for this role. The downside is
 # that both Draupnir services restart on every run when force-pull is
 # enabled (e.g. with rolling tags like `latest` or `main`), even when the
 # upstream image has not moved. That is wasteful but acceptable.
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir needs a restart
  ansible.builtin.set_fact:
    matrix_bot_draupnir_restart_necessary: >-
@@ -103,6 +114,8 @@
        or matrix_bot_draupnir_config_result.changed | default(false)
        or matrix_bot_draupnir_systemd_service_result.changed | default(false)
        or matrix_bot_draupnir_container_image_pull_result.changed | default(false)
        or matrix_bot_draupnir_container_image_build_result.changed | default(false)
        or matrix_bot_draupnir_force_restart | bool
      }}
 - name: Ensure matrix-bot-draupnir.service restarted, if necessary
--- a/Show More
+++ b/Show More