add link to Ketesa website <https://ketesa.app >

Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default)
As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway delivery as well, so surface it as an Ansible variable using the default/auto/custom merge pattern. The default mirrors tuwunel's own upstream denylist (RFC1918, loopback, multicast, and other unroutable ranges), matching the identical list already used for Synapse's matrix_synapse_url_preview_ip_range_blacklist. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 18:54:26 +03:00 · 2026-06-28 11:02:51 +01:00 · 2026-06-27 20:39:16 +03:00 · 2026-06-27 20:17:09 +03:00 · 2026-06-27 18:17:06 +03:00 · 2026-06-26 17:30:34 +03:00
8 changed files with 48 additions and 10 deletions
@@ -13,14 +13,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 # Setting up Ketesa (optional)

-The playbook can install and configure [Ketesa](https://github.com/etkecc/ketesa) for you.
+The playbook can install and configure [Ketesa](https://ketesa.app) ([source code](https://github.com/etkecc/ketesa)) for you.

 Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support. See the [Ketesa v1.0.0 announcement](https://etke.cc/blog/introducing-ketesa/) for a full overview of what's new.

 >[!NOTE]
 >
 > - Ketesa does not work with other homeserver implementations than Synapse due to API's incompatibility.
-> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [admin.etke.cc](https://admin.etke.cc/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
+> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [cloud.ketesa.app](https://cloud.ketesa.app/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
 > - This playbook also supports an alternative management UI in the shape of [Element Admin](./configuring-playbook-element-admin.md). Please note that it's currently less feature-rich than Ketesa and requires [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md).

 ## Adjusting DNS records (optional)
@@ -2,7 +2,7 @@ alabaster==1.0.0
 babel==2.18.0
 certifi==2026.6.17
 charset-normalizer==3.4.7
-click==8.4.1
+click==8.4.2
 docutils==0.23
 idna==3.18
 imagesize==2.0.0
@@ -42,10 +42,10 @@
  version: v11031-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.13.1-0
+  version: v1.13.2-0
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.24.0-0
+  version: v2.25.0-0
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"

 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.23.1
+matrix_bot_baibot_version: v1.24.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -13,8 +13,8 @@ matrix_rustpush_bridge_container_image_self_build: false
 matrix_rustpush_bridge_container_image_self_build_repo: "https://github.com/jasonlaguidice/imessage.git"
 matrix_rustpush_bridge_container_image_self_build_repo_version: "{{ 'master' if matrix_rustpush_bridge_version == 'latest' else matrix_rustpush_bridge_version }}"

-# Adjust to pin to releases
-matrix_rustpush_bridge_version: v0.0.1
+# renovate: datasource=docker depName=ghcr.io/jasonlaguidice/imessage
+matrix_rustpush_bridge_version: v0.0.2
 matrix_rustpush_bridge_container_image: "{{ matrix_rustpush_bridge_container_image_registry_prefix }}jasonlaguidice/imessage:{{ matrix_rustpush_bridge_version }}"
 matrix_rustpush_bridge_container_image_registry_prefix: "{{ 'localhost/' if matrix_rustpush_bridge_container_image_self_build else matrix_rustpush_bridge_container_image_registry_prefix_upstream }}"
 matrix_rustpush_bridge_container_image_registry_prefix_upstream: "{{ matrix_rustpush_bridge_container_image_registry_prefix_upstream_default }}"
@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true

 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.11
+matrix_element_admin_version: 0.1.12

 matrix_element_admin_scheme: https

@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''

 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
-matrix_tuwunel_version: v1.7.1
+matrix_tuwunel_version: v1.8.0

 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,43 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []

+# List of IPv4/IPv6 CIDR ranges tuwunel refuses to send outbound requests to (SSRF protection).
+# This applies to push gateway delivery, URL previews, and remote media fetches.
+# Bridges/appservices use a separate resolver and are not affected.
+#
+# The default mirrors tuwunel's own upstream default, which denies RFC1918,
+# loopback, multicast, and other unroutable/testnet ranges.
+#
+# To deny additional ranges, append to `matrix_tuwunel_config_ip_range_denylist_custom`.
+# To permit a range that the default denies (e.g. if you run a push gateway like a
+# localhost Sygnal or a LAN ntfy/UnifiedPush server on a private/loopback address, to
+# which push delivery would otherwise be silently blocked), override
+# `matrix_tuwunel_config_ip_range_denylist_default` with a trimmed list.
+# Set the whole list to `[]` to disable denylisting entirely.
+matrix_tuwunel_config_ip_range_denylist: "{{ matrix_tuwunel_config_ip_range_denylist_default + matrix_tuwunel_config_ip_range_denylist_auto + matrix_tuwunel_config_ip_range_denylist_custom }}"
+matrix_tuwunel_config_ip_range_denylist_default:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '192.0.0.0/24'
+  - '169.254.0.0/16'
+  - '192.88.99.0/24'
+  - '198.18.0.0/15'
+  - '192.0.2.0/24'
+  - '198.51.100.0/24'
+  - '203.0.113.0/24'
+  - '224.0.0.0/4'
+  - '::1/128'
+  - 'fe80::/10'
+  - 'fc00::/7'
+  - '2001:db8::/32'
+  - 'ff00::/8'
+  - 'fec0::/10'
+matrix_tuwunel_config_ip_range_denylist_auto: []
+matrix_tuwunel_config_ip_range_denylist_custom: []
+
 # MSC4284 policy server enforcement.
 # When enabled, rooms with a valid `m.room.policy` state event will have
 # outgoing events signed by the configured policy server before federation.
@@ -56,6 +56,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 {% if matrix_tuwunel_config_prevent_media_downloads_from | length > 0 %}
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}
+ip_range_denylist = {{ matrix_tuwunel_config_ip_range_denylist | to_json }}

 enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
 policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}
Author	SHA1	Message	Date
Aine	3fed0f1bb4	add link to Ketesa website <https://ketesa.app >	2026-06-28 11:02:51 +01:00
Slavi Pantaleev	e43add179b	Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default) As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway delivery as well, so surface it as an Ansible variable using the default/auto/custom merge pattern. The default mirrors tuwunel's own upstream denylist (RFC1918, loopback, multicast, and other unroutable ranges), matching the identical list already used for Synapse's matrix_synapse_url_preview_ip_range_blacklist. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 20:39:16 +03:00
renovate[bot]	129d4e74b4	Update ghcr.io/matrix-construct/tuwunel Docker tag to v1.8.0	2026-06-27 20:17:09 +03:00
renovate[bot]	5c390e137f	Update dependency livekit_server to v1.13.2-0	2026-06-27 18:17:06 +03:00
renovate[bot]	682eb2c280	Update ghcr.io/etkecc/baibot Docker tag to v1.24.0	2026-06-26 17:30:34 +03:00
Jason LaGuidice	4fae640b6c	Add renovate and bump version	2026-06-26 07:05:13 +03:00
renovate[bot]	adcae966ed	Update dependency ntfy to v2.25.0-0	2026-06-25 07:41:39 +03:00
renovate[bot]	0a46beb76c	Update dependency click to v8.4.2	2026-06-24 21:48:37 +03:00
renovate[bot]	7bee5f06dc	Update oci.element.io/element-admin Docker tag to v0.1.12	2026-06-24 21:44:11 +03:00