baibot: add venice wiring

add link to Ketesa website <https://ketesa.app >
Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default)
2026-06-29 03:20:44 +03:00 · 2026-06-28 16:34:06 +01:00 · 2026-06-28 11:02:51 +01:00 · 2026-06-27 20:39:16 +03:00 · 2026-06-27 20:17:09 +03:00 · 2026-06-27 18:17:06 +03:00
54 changed files with 1455 additions and 51 deletions
@@ -26,10 +26,10 @@ jobs:
        run: pacman -Sy --noconfirm git

      - name: Check out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Restore prek cache
-        uses: actions/cache@v5
+        uses: actions/cache@v6
        with:
          path: var/prek
          key: arch-prek-v1-${{ hashFiles('.pre-commit-config.yaml') }}
@@ -24,7 +24,7 @@ jobs:
    name: Update translations
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7

      - uses: actions/setup-python@v6
        with:
@@ -1,3 +1,29 @@
+# 2026-06-28
+
+## baibot now supports Venice, our recommended provider
+
+[baibot](./docs/configuring-playbook-bot-baibot.md) now ships a preset for the [Venice](./docs/configuring-playbook-bot-baibot.md#venice) provider, and it's the one we recommend. It's the most capable provider baibot supports (text generation with vision, file inputs and web search, speech-to-text, text-to-speech, and image generation and editing), and the only one that runs inference with no logging and no training on your data.
+
+Enabling it takes a preset toggle and an API key:
+
+```yaml
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: true
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: "YOUR_API_KEY_HERE"
+```
+
+[OpenAI](https://openai.com/) and baibot's other providers remain fully supported. To get started, see the [Setting up baibot](./docs/configuring-playbook-bot-baibot.md#venice) documentation page.
+
+# 2026-06-24
+
+## Support for bridging to iMessage via RustPush
+
+Thanks to [jasonlaguidice](https://github.com/jasonlaguidice), the playbook now supports bridging to [iMessage](https://support.apple.com/messages) via a new [RustPush](https://github.com/OpenBubbles/rustpush)-based bridge ([jasonlaguidice/imessage](https://github.com/jasonlaguidice/imessage)).
+
+Unlike the existing [mautrix-wsproxy](./docs/configuring-playbook-bridge-mautrix-wsproxy.md) iMessage bridge, this one talks directly to Apple's push notification service, so it needs neither a running Mac nor a wsproxy on the homeserver. Each user supplies a hardware key extracted from a Mac through the bridge bot's login flow.
+
+To learn more, see our [Setting up RustPush (iMessage) bridging](./docs/configuring-playbook-bridge-rustpush.md) documentation page.
+
 # 2026-05-24

 ## matrix-ldap-registration-proxy has been removed from the playbook
@@ -117,6 +117,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [mautrix-gmessages](https://github.com/mautrix/gmessages) | ❌ | Bridge to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) |
 | [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | ❌ | Bridge to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) |
 | [mautrix-wsproxy](https://github.com/mautrix/wsproxy) | ❌ | Bridge to Android SMS or Apple iMessage | [Link](docs/configuring-playbook-bridge-mautrix-wsproxy.md) |
+| [matrix-rustpush-bridge](https://github.com/jasonlaguidice/imessage) | ❌ | Bridge to [iMessage](https://support.apple.com/messages) via Apple Push Notification service | [Link](docs/configuring-playbook-bridge-rustpush.md) |
 | [mautrix-bluesky](https://github.com/mautrix/bluesky) | ❌ | Bridge to [Bluesky](https://bsky.social/) | [Link](docs/configuring-playbook-bridge-mautrix-bluesky.md) |
 | [mautrix-twitter](https://github.com/mautrix/twitter) | ❌ | Bridge to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) |
 | [mautrix-googlechat](https://github.com/mautrix/googlechat) | ❌ | Bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) |
@@ -14,7 +14,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 🤖 [baibot](https://github.com/etkecc/baibot) (pronounced bye-bot) is a [Matrix](https://matrix.org/) bot developed by [etke.cc](https://etke.cc/) that exposes the power of [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) to you. 🤖

-It supports [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) models, as many well as other [☁️ providers](https://github.com/etkecc/baibot/blob/main/docs/providers.md).
+It supports many [☁️ providers](https://github.com/etkecc/baibot/blob/main/docs/providers.md), including the privacy-first [Venice](#venice) we recommend, [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) models, and more.

 It's designed as a more private and [✨ featureful](https://github.com/etkecc/baibot/?tab=readme-ov-file#-features) alternative to [matrix-chatgpt-bot](./configuring-playbook-bot-chatgpt.md). See the [baibot](https://github.com/etkecc/baibot) project and its documentation for more information.

@@ -159,7 +159,38 @@ Agents defined statically and those created dynamically (via chat) are named dif

 Depending on your propensity for [GitOps](https://en.wikipedia.org/wiki/DevOps#GitOps), you may prefer to define agents statically via Ansible, or you may wish to do it dynamically via chat.

-Before proceeding, we recommend reading the upstream documentation on [How to choose a provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#how-to-choose-a-provider). In short, it's probably best to go with [OpenAI](#openai).
+Before proceeding, we recommend reading the upstream documentation on [How to choose a provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#how-to-choose-a-provider) for a side-by-side of what each one can do. In short: we recommend [Venice](#venice), the most capable provider baibot supports and the only one that keeps no logs and trains on nothing. If you'd rather start with the most widely-used option, [OpenAI](#openai) is a solid, well-supported choice too.
+
+#### Venice
+
+[Venice](https://venice.ai/chat?ref=kpXDe6) _(ref link with a $10 bonus for you)_ is the provider we recommend. It's the most capable one baibot supports, and the only one that pairs that full feature set with real privacy: inference runs on Venice's own GPUs or on zero-data-retention partner hardware, so your prompts and replies are stored nowhere and never used for training. It serves both frontier proprietary models and the latest open-source ones.
+
+Venice also leaves the content policy to you instead of imposing its own. Its models answer without the reflexive refusals some hosted services apply, and both text and image generation can handle adult or otherwise sensitive subjects when you need them to. Image generation ships a `safe_mode` that blurs adult content by default; you can turn it off (see the sample config). This pairs naturally with the privacy above: a bot you can speak to candidly, that keeps nothing.
+
+Unlike the [OpenAI Compatible](#openai-compatible) provider (which can also point at Venice, but drops images and can't reach its audio or native image endpoints), this is a first-class integration that exposes Venice's full parameter set: text-generation with vision, file inputs, prompt caching and native web search, plus speech-to-text, text-to-speech, and image generation and editing.
+
+You can statically-define a single [🤖 agent](https://github.com/etkecc/baibot/blob/main/docs/agents.md) instance powered by the [Venice provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#venice) with the help of the playbook's preset variables.
+
+Here's an example **addition** to your `vars.yml` file:
+
+```yaml
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: true
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: "YOUR_API_KEY_HERE"
+
+# The preset ships sensible defaults for every purpose, so changing only the API key above is enough
+# to get going. Uncomment and adjust any of these if you'd like to use different models:
+# matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id: kimi-k2-5
+# matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id: chroma
+```
+
+Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/venice`.
+
+Every Venice knob (sampling, caching, reasoning, web-search behavior, voice and image controls) has a matching `matrix_bot_baibot_config_agents_static_definitions_venice_config_*` variable. The [fully-commented sample config](https://github.com/etkecc/baibot/blob/main/docs/sample-provider-configs/venice.yml) explains every one of them.
+
+If you'd like to use more than one model, take a look at the [Configuring additional agents (without a preset)](#configuring-additional-agents-without-a-preset) section below.
+
+💡 You may also wish to use this new agent for [🤝 Configuring initial default handlers](#-configuring-initial-default-handlers).

 #### Anthropic

@@ -374,7 +405,7 @@ Example **additional** `vars.yml` configuration:
 # As such, changing any of these values subsequently has no effect on the bot's behavior.
 # Once initially configured, the global configuration is managed via bot commands, not via Ansible.

-matrix_bot_baibot_config_initial_global_config_handler_catch_all: static/openai
+matrix_bot_baibot_config_initial_global_config_handler_catch_all: static/venice

 # In this example, there's no need to define any of these below.
 # Configuring the catch-all purpose handler is enough.
@@ -0,0 +1,95 @@
+<!--
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Setting up RustPush (iMessage) bridging (optional)
+
+> **Note:** This bridge is in early development and may have stability issues. It may not be desirable to deploy this to a large number of users. Your testing and feedback is appreciated.
+
+<sup>Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md)</sup>
+
+The playbook can install and configure [RustPush bridge to iMessage](https://github.com/jasonlaguidice/imessage) for you using Apple's push notification service.
+
+See the project's [documentation](https://github.com/jasonlaguidice/imessage/blob/main/README.md) to learn what it does and why it might be useful to you.
+
+## Prerequisites
+
+### Hardware Key Extraction
+
+To use this bridge on Linux (Docker), each user needs a **hardware key** extracted from a real Mac. This key contains hardware identifiers needed for iMessage registration. Hardware keys can be shared by a number of users (approximately 20) before causing issues with Apple.
+
+The key is entered interactively through the bridge bot's login flow (not configured via Ansible variables). See the upstream [README](https://github.com/jasonlaguidice/imessage/blob/main/README.md) for instructions on extracting the key.
+
+If extracted from an Intel Mac, the Mac does not need to remain running after the key is extracted for this bridge to work. Apple Silicon Macs must run a NAC relay and thus must remain running.
+
+### Phone Number Registration (optional)
+
+This bridge can **not** do phone number registration (PNR). The only way to have your phone number registered and used (instead of an Apple ID e-mail address) is to have an iPhone connected to your Apple account. Reference the [BlueBubbles Phone Number Registration Guide](https://docs.bluebubbles.app/server/advanced/registering-a-phone-number-with-your-imessage-account) for information on how to set this up.
+
+### Enable Appservice Double Puppet (optional)
+
+If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
+
+See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting.
+
+## Adjusting the playbook configuration
+
+To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_rustpush_bridge_enabled: true
+```
+
+### Disable Backfill (optional)
+
+Backfill can be disabled globally if desired via config. By default, the bridge will backfill from iCloud (CloudKit) and APNS if available. Backfill from `chat.db` is only possible when the bridge is running on MacOS.
+
+```yaml
+matrix_rustpush_bridge_backfill_enabled: false
+```
+
+### Extending the Configuration
+
+There are some additional things you may wish to configure about the bridge.
+
+See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.
+
+## Installing
+
+After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:
+
+<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+**Notes**:
+
+- The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
+
+  `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
+
+## Usage
+
+To use the bridge, you need to start a chat with `@rustpushbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).
+
+After logging in, the bridge will start receiving iMessages and creating portal rooms.
+
+## Troubleshooting
+
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-rustpush-bridge`.
+
+### Increase logging verbosity
+
+The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
+
+```yaml
+# Valid values: fatal, error, warn, info, debug, trace
+matrix_rustpush_bridge_logging_level: 'debug'
+
+# Enable debug logging for RustPush
+matrix_rustpush_bridge_rust_log: "warn,rustpushgo=info,openabsinthe=debug"
+```
@@ -13,14 +13,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 # Setting up Ketesa (optional)

-The playbook can install and configure [Ketesa](https://github.com/etkecc/ketesa) for you.
+The playbook can install and configure [Ketesa](https://ketesa.app) ([source code](https://github.com/etkecc/ketesa)) for you.

 Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support. See the [Ketesa v1.0.0 announcement](https://etke.cc/blog/introducing-ketesa/) for a full overview of what's new.

 >[!NOTE]
 >
 > - Ketesa does not work with other homeserver implementations than Synapse due to API's incompatibility.
-> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [admin.etke.cc](https://admin.etke.cc/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
+> - The latest version of Ketesa is hosted by [etke.cc](https://etke.cc/) at [cloud.ketesa.app](https://cloud.ketesa.app/). If you only need this service occasionally and trust giving your admin credentials to a 3rd party Single Page Application, you can consider using it from there and avoiding the (small) overhead of self-hosting.
 > - This playbook also supports an alternative management UI in the shape of [Element Admin](./configuring-playbook-element-admin.md). Please note that it's currently less feature-rich than Ketesa and requires [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md).

 ## Adjusting DNS records (optional)
@@ -158,6 +158,8 @@ Bridges can be used to connect your Matrix installation with third-party communi

 - [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](configuring-playbook-bridge-mautrix-wsproxy.md)

+- [Setting up RustPush (iMessage) bridging](configuring-playbook-bridge-rustpush.md)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md)

 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md)
@@ -188,7 +190,7 @@ Bridges can be used to connect your Matrix installation with third-party communi

 Bots provide various additional functionality to your installation.

- [Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))
+- [Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services (the privacy-first [Venice](configuring-playbook-bot-baibot.md#venice) we recommend, [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/), and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))

 - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff

@@ -107,6 +107,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) | [hif1/heisenbridge](https://hub.docker.com/r/hif1/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) |
 | [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
 | [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |
+| [matrix-rustpush-bridge](configuring-playbook-bridge-rustpush.md) | [jasonlaguidice/imessage](https://github.com/jasonlaguidice/imessage/pkgs/container/imessage) | ❌ | Bridge to [iMessage](https://support.apple.com/messages) via Apple Push Notification service |
 | [mx-puppet-steam](configuring-playbook-bridge-mx-puppet-steam.md) | [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) |
 | [Postmoogle](configuring-playbook-bridge-postmoogle.md) | [etke.cc/postmoogle](https://github.com/etkecc/postmoogle/container_registry) | ❌ | Email to Matrix bridge |

@@ -44,27 +44,19 @@ Custom Nginx Configuration:
 	client_max_body_size 50M;
 ```

-Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxy's configuration like this:
+Then, under the 'Streams' page select `Add Stream`, this time for your federation traffic. Apply the configuration like this:

 ```md
 # Details
 # Matrix Federation proxy config
-Domain Names: matrix.example.com:8448
-Scheme: http
-Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX
+Incoming Port: 8448
+Forward Host/IP: IP-ADDRESS-OF-YOUR-MATRIX
 Forward Port: 8449
+Protocols: TCP

 # SSL
 # Either 'Request a new certificate' or select an existing one
 SSL Certificate: matrix.example.com or *.example.com
-Force SSL: true
-HTTP/2 Support: true
-
-# Advanced
-# Allows NPM to listen on the federation port
-Custom Nginx Configuration:
-	listen 8448 ssl http2;
-	client_max_body_size 50M;
 ```

 Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.example.com` or `jitsi.example.com`, which would use the forwarding port `81`.
@@ -114,6 +114,8 @@ matrix_homeserver_container_extra_arguments_auto: |
    +
    (['--mount type=bind,src=' + matrix_mautrix_bluesky_config_path + '/registration.yaml,dst=/matrix-mautrix-bluesky-registration.yaml,ro'] if matrix_mautrix_bluesky_enabled else [])
    +
+    (['--mount type=bind,src=' + matrix_rustpush_bridge_config_path + '/registration.yaml,dst=/matrix-rustpush-bridge-registration.yaml,ro'] if matrix_rustpush_bridge_enabled else [])
+    +
    (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else [])
@@ -171,6 +173,8 @@ matrix_homeserver_app_service_config_files_auto: |
    +
    (['/matrix-mautrix-bluesky-registration.yaml'] if matrix_mautrix_bluesky_enabled else [])
    +
+    (['/matrix-rustpush-bridge-registration.yaml'] if matrix_rustpush_bridge_enabled else [])
+    +
    (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else [])
    +
    (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else [])
@@ -436,6 +440,13 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'bridges', 'mautrix-bluesky'],
    }] if matrix_mautrix_bluesky_enabled else [])
    +
+    ([{
+      'name': 'matrix-rustpush-bridge.service',
+      'priority': 2000,
+      'restart_necessary': (matrix_rustpush_bridge_restart_necessary | bool),
+      'groups': ['matrix', 'bridges', 'matrix-rustpush-bridge'],
+    }] if matrix_rustpush_bridge_enabled else [])
+    +
    ([{
      'name': 'matrix-mautrix-discord.service',
      'priority': 2000,
@@ -1469,6 +1480,77 @@ matrix_mautrix_bluesky_database_password: "{{ (matrix_homeserver_generic_secret_
 #
 ######################################################################

+
+######################################################################
+#
+# matrix-bridge-rustpush
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_rustpush_bridge_enabled: false
+
+matrix_rustpush_bridge_systemd_required_services_list_auto: |
+  {{
+    matrix_addons_homeserver_systemd_services_list
+    +
+    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+  }}
+
+matrix_rustpush_bridge_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_rustpush_bridge_container_additional_networks_auto: |-
+  {{
+    (
+      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+      +
+      ([postgres_container_network] if (postgres_enabled and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname and matrix_rustpush_bridge_container_network != postgres_container_network) else [])
+      +
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_rustpush_bridge_container_labels_traefik_enabled else [])
+    ) | unique
+  }}
+
+matrix_rustpush_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_rustpush_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_rustpush_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_rustpush_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
+matrix_rustpush_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.as.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
+matrix_rustpush_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':imsg.hs.token') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
+
+matrix_rustpush_bridge_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.prov') | hash('sha512') | to_uuid }}"
+
+matrix_rustpush_bridge_double_puppet_secrets_auto: |-
+  {{
+    ({
+      matrix_rustpush_bridge_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
+
+matrix_rustpush_bridge_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
+
+matrix_rustpush_bridge_metrics_proxying_enabled: "{{ matrix_rustpush_bridge_metrics_enabled and matrix_metrics_exposure_enabled }}"
+matrix_rustpush_bridge_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+matrix_rustpush_bridge_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/rustpush-bridge"
+
+matrix_rustpush_bridge_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_rustpush_bridge_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.imsg.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
+
+######################################################################
+#
+# /matrix-bridge-rustpush
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mautrix-discord
@@ -4052,6 +4134,12 @@ postgres_managed_databases_auto: |
      'password': matrix_mautrix_bluesky_database_password,
    }] if (matrix_mautrix_bluesky_enabled and matrix_mautrix_bluesky_database_engine == 'postgres' and matrix_mautrix_bluesky_database_hostname == postgres_connection_hostname) else [])
    +
+    ([{
+      'name': matrix_rustpush_bridge_database_name,
+      'username': matrix_rustpush_bridge_database_username,
+      'password': matrix_rustpush_bridge_database_password,
+    }] if (matrix_rustpush_bridge_enabled and matrix_rustpush_bridge_database_engine == 'postgres' and matrix_rustpush_bridge_database_hostname == postgres_connection_hostname) else [])
+    +
    ([{
      'name': matrix_mautrix_googlechat_database_name,
      'username': matrix_mautrix_googlechat_database_username,
@@ -4992,6 +5080,11 @@ matrix_ketesa_config_asManagedUsers_auto: |
      '^@bluesky_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_bluesky_enabled else [])
    +
+    ([
+      '^@'+(matrix_rustpush_bridge_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
+      '^@rustpush_[a-zA-Z0-9_.+-]+:'+(matrix_domain | regex_escape)+'$',
+    ] if matrix_rustpush_bridge_enabled else [])
+    +
    ([
      '^@'+(matrix_mautrix_discord_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@discord_[0-9]+:'+(matrix_domain | regex_escape)+'$',
@@ -1,8 +1,8 @@
 alabaster==1.0.0
 babel==2.18.0
-certifi==2026.5.20
+certifi==2026.6.17
 charset-normalizer==3.4.7
-click==8.4.1
+click==8.4.2
 docutils==0.23
 idna==3.18
 imagesize==2.0.0
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 [tools]
-prek = "0.4.4"
+prek = "0.4.5"

 [settings]
 yes = true
@@ -7,7 +7,7 @@
  version: v1.4.4-2.1.4-1
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.12.2-0
+  version: v4.12.3-0
  name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
  version: v0.4.2-5
@@ -33,7 +33,7 @@
  version: v4.99.1-r0-2-1
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-10
+  version: v13.0.2-0
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
  version: v0.5.1-5
@@ -42,10 +42,10 @@
  version: v11031-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.12.0-0
+  version: v1.13.2-0
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.24.0-0
+  version: v2.25.0-0
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -75,7 +75,7 @@
  version: v0.19.1-4
  name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.18.0-0
+  version: v1.18.3-0
  name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.5.0-0
@@ -90,7 +90,7 @@
  version: v3.7.5-0
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-7
+  version: v2.11.4-0
  name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
  version: v9.1.0-0
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true

 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.6.10
+matrix_alertmanager_receiver_version: 2026.6.24

 matrix_alertmanager_receiver_scheme: https

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"

 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.18.0
+matrix_authentication_service_version: 1.19.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"

 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.21.1
+matrix_bot_baibot_version: v1.24.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -200,6 +200,12 @@ matrix_bot_baibot_config_agents_static_definitions_auto: |-
        'provider': matrix_bot_baibot_config_agents_static_definitions_openai_provider,
        'config': matrix_bot_baibot_config_agents_static_definitions_openai_config,
    }] if matrix_bot_baibot_config_agents_static_definitions_openai_enabled else [])
+    +
+    ([{
+        'id': matrix_bot_baibot_config_agents_static_definitions_venice_id,
+        'provider': matrix_bot_baibot_config_agents_static_definitions_venice_provider,
+        'config': matrix_bot_baibot_config_agents_static_definitions_venice_config,
+    }] if matrix_bot_baibot_config_agents_static_definitions_venice_enabled else [])
  }}
 matrix_bot_baibot_config_agents_static_definitions_custom: []

@@ -442,6 +448,175 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generatio
 ########################################################################################


+########################################################################################
+#                                                                                      #
+# Venice agent configuration                                                           #
+#                                                                                      #
+########################################################################################
+
+matrix_bot_baibot_config_agents_static_definitions_venice_enabled: false
+matrix_bot_baibot_config_agents_static_definitions_venice_id: venice
+matrix_bot_baibot_config_agents_static_definitions_venice_provider: venice
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml | from_yaml | combine(matrix_bot_baibot_config_agents_static_definitions_venice_config_extension, recursive=True) }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml: "{{ lookup('template', 'templates/provider/venice-config.yml.j2') }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_extension: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml | from_yaml if matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml | from_yaml is mapping else {} }}"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_extension_yaml: |
+  # Your custom YAML configuration for this provider's configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_bot_baibot_config_agents_static_definitions_venice_config`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_bot_baibot_config_agents_static_definitions_venice_config_yaml`.
+  #
+  # The fully-commented sample config (every Venice knob, with explanations) lives at:
+  # https://github.com/etkecc/baibot/blob/main/docs/sample-provider-configs/venice.yml
+  #
+  # Example configuration extension follows:
+  #
+  # text_generation:
+  #   venice_parameters:
+  #     enable_web_search: "off"
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_base_url: https://api.venice.ai/api/v1
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key: ""
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_enabled: true
+# For valid model choices, see: https://docs.venice.ai/models/overview
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id: kimi-k2-5
+# The prompt text to use (can be null or empty to not use a prompt).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_temperature: 1.0
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_response_tokens: 4096
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_context_tokens: 128000
+# How long Venice keeps the prompt prefix cached: "default", "extended", or "24h".
+# "24h" makes a long, stable system prompt cheap across a day of conversations.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt_cache_retention: 24h
+# The optional top-level sampling and reasoning knobs below default to null, meaning the knob is
+# omitted from the request and Venice applies its own server-side default. Set a value to override.
+# Nucleus sampling, 0.0-1.0 (an alternative to temperature).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p: ~
+# Penalize tokens by how often they have already appeared, -2.0-2.0.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty: ~
+# Penalize tokens that have appeared at all, -2.0-2.0.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty: ~
+# Penalize repetition; values above 1.0 discourage repeats.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty: ~
+# Reasoning budget for models that support it: "low", "medium", or "high".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort: ~
+# Append the model's reasoning below the answer as a collapsible "Reasoning" block (folded by default).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning: ~
+
+# Venice-specific request parameters (the `venice_parameters` bag). Each non-null knob below is sent;
+# a null knob is omitted, so Venice applies its own default. Omitting a knob is NOT the same as
+# setting it to `false` (which actively sends `false`).
+# Web search: "auto" (model decides), "on" (always), or "off".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_search: auto
+# Strip <think></think> blocks from reasoning models so the user sees only the answer.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_strip_thinking_response: true
+# Run in TEE-only mode (works across all models) instead of end-to-end-encrypted inference (only
+# some models support it). TEE is still zero-retention private; this default keeps every model usable.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_e2ee: false
+# Render web-search sources as readable citations in the reply.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations: ~
+# Let web search read full page content, not just snippets.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping: ~
+# Prepend Venice's own system prompt alongside yours.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt: ~
+# Include search results inline in the streamed response.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream: ~
+# Return search results as documents rather than inline text.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents: ~
+# Allow web search to query X (Twitter).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search: ~
+# Disable the model's thinking phase entirely.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking: ~
+# Response verbosity for models that support it: "low", "medium", or "high".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity: ~
+# Use a public Venice character by its slug.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug: ~
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_enabled: true
+matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_model_id: nvidia/parakeet-tdt-0.6b-v3
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_enabled: true
+# Other models include tts-qwen3-1-7b, tts-xai-v1, tts-elevenlabs-turbo-v2-5, tts-minimax-speech-02-hd.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_model_id: tts-kokoro
+# Voices are model-specific. Kokoro uses af_*/am_*/bf_*/bm_* (e.g. af_sky, am_adam). You can also pass
+# a cloned-voice handle (vv_<id>). An incompatible voice returns an error.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_voice: af_sky
+# Output audio format: mp3, opus, aac, flac, wav, or pcm. mp3 is the broadest Matrix-client fit.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_response_format: mp3
+# The optional knobs below default to null (omitted). Set a value to override Venice's default.
+# Playback speed, 0.25-4.0 (1.0 is normal).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed: ~
+# A style prompt steering emotion/delivery (e.g. "Excited and energetic."). Only Qwen 3 TTS uses it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt: ~
+# Sampling temperature, 0.0-2.0. Only Qwen 3 / Orpheus / Chatterbox HD use it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature: ~
+# Nucleus sampling, 0.0-1.0. Only Qwen 3 TTS uses it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p: ~
+
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enabled: true
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id: chroma
+# The optional generation knobs below default to null (omitted). Set a value to override Venice's
+# default. Omitting a knob is NOT the same as setting it: an omitted knob lets Venice apply its own
+# default, a set value is sent verbatim.
+# A description of what should NOT appear in the image.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt: ~
+# CFG scale, 0-20. Higher values make the image adhere more closely to the prompt.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale: ~
+# Number of inference steps. Model-specific; some models ignore it.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps: ~
+# A named style to apply (e.g. "3D Model"). See Venice's image-styles reference.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset: ~
+# Random seed, -999999999-999999999. Fix it for reproducible results; omit for a random seed.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed: ~
+# Blur images classified as adult content. Defaults to true.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode: ~
+# Hide the Venice watermark. Venice may ignore this for certain generated content. Defaults to false.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark: ~
+# Output format: jpeg, png, or webp. webp is smallest; png is highest-quality. Defaults to webp.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format: ~
+# Image dimensions in pixels, each 1-1280. Default 1024x1024.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width: ~
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height: ~
+# Aspect ratio (used by certain models, e.g. Nano Banana): "1:1", "16:9". An alternative to width/height.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio: ~
+# Resolution tier (used by certain models): "1K", "2K", "4K".
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution: ~
+# Output quality for supported models (e.g. GPT Image 2): low, medium, high. Higher can cost more.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality: ~
+# Lora strength, 0-100. Only applies if the model uses additional Loras.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength: ~
+# Embed the generation prompt into the image's EXIF metadata. Defaults to false.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata: ~
+# Let the model pull the latest info from the web for the image. Model-specific; costs extra credits.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search: ~
+# Image editing shares this image_generation config block; only the model differs.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_model_id: firered-image-edit
+# The optional edit knobs below default to null (omitted). Set a value to override Venice's default.
+# Output format: jpeg, png, or webp. When omitted, Venice infers it (PNG at 1K, JPEG at 2K/4K).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format: ~
+# Aspect ratio of the result: auto, 1:1, 3:2, 16:9, 21:9, 9:16, 2:3, 3:4, 4:5 (model-specific).
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio: ~
+# Resolution tier: 1K, 2K, 4K (model-specific). Defaults to 1K.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution: ~
+# Blur images classified as adult content. Defaults to true.
+matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode: ~
+
+########################################################################################
+#                                                                                      #
+# /Venice agent configuration                                                          #
+#                                                                                      #
+########################################################################################
+
+
 # Controls the `initial_global_config.handler.catch_all` configuration setting.
 #
 # This is an initial global configuration setting.
@@ -25,6 +25,8 @@

    - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"}

+    - {'name': 'matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_venice_enabled }}"}
+
 - name: Fail if baibot authentication mode is not configured
  ansible.builtin.fail:
    msg: >-
@@ -0,0 +1,154 @@
+#jinja2: lstrip_blocks: True
+base_url: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_base_url | to_json }}
+
+api_key: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_api_key | to_json }}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_max_context_tokens | int | to_json }}
+  prompt_cache_retention: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_prompt_cache_retention | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p is not none %}
+  top_p: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_top_p | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty is not none %}
+  frequency_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_frequency_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty is not none %}
+  presence_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_presence_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty is not none %}
+  repetition_penalty: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_repetition_penalty | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort is not none %}
+  reasoning_effort: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_reasoning_effort | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning is not none %}
+  show_reasoning: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_show_reasoning | to_json }}
+  {% endif %}
+  venice_parameters:
+    enable_web_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_search | to_json }}
+    strip_thinking_response: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_strip_thinking_response | to_json }}
+    enable_e2ee: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_e2ee | to_json }}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations is not none %}
+    enable_web_citations: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_citations | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping is not none %}
+    enable_web_scraping: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_web_scraping | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt is not none %}
+    include_venice_system_prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_venice_system_prompt | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream is not none %}
+    include_search_results_in_stream: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_include_search_results_in_stream | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents is not none %}
+    return_search_results_as_documents: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_return_search_results_as_documents | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search is not none %}
+    enable_x_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_enable_x_search | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking is not none %}
+    disable_thinking: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_disable_thinking | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity is not none %}
+    verbosity: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_verbosity | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug is not none %}
+    character_slug: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_generation_venice_parameters_character_slug | to_json }}
+    {% endif %}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_enabled %}
+speech_to_text:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_speech_to_text_model_id | to_json }}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_enabled %}
+text_to_speech:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_model_id | to_json }}
+  voice: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_voice | to_json }}
+  response_format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_response_format | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed is not none %}
+  speed: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_speed | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt is not none %}
+  prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_prompt | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature is not none %}
+  temperature: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_temperature | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p is not none %}
+  top_p: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_text_to_speech_top_p | to_json }}
+  {% endif %}
+{% endif %}
+
+{% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enabled %}
+image_generation:
+  model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_model_id | to_json }}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt is not none %}
+  negative_prompt: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_negative_prompt | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale is not none %}
+  cfg_scale: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_cfg_scale | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps is not none %}
+  steps: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_steps | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset is not none %}
+  style_preset: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_style_preset | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed is not none %}
+  seed: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_seed | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode is not none %}
+  safe_mode: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_safe_mode | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark is not none %}
+  hide_watermark: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_hide_watermark | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format is not none %}
+  format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_format | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width is not none %}
+  width: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_width | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height is not none %}
+  height: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_height | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio is not none %}
+  aspect_ratio: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_aspect_ratio | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution is not none %}
+  resolution: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_resolution | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality is not none %}
+  quality: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_quality | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength is not none %}
+  lora_strength: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_lora_strength | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata is not none %}
+  embed_exif_metadata: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_embed_exif_metadata | to_json }}
+  {% endif %}
+  {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search is not none %}
+  enable_web_search: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_enable_web_search | to_json }}
+  {% endif %}
+  edit:
+    model_id: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_model_id | to_json }}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format is not none %}
+    output_format: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_output_format | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio is not none %}
+    aspect_ratio: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_aspect_ratio | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution is not none %}
+    resolution: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_resolution | to_json }}
+    {% endif %}
+    {% if matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode is not none %}
+    safe_mode: {{ matrix_bot_baibot_config_agents_static_definitions_venice_config_image_generation_edit_safe_mode | to_json }}
+    {% endif %}
+{% endif %}
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2026 Nikita Chernyi
+
+SPDX-License-Identifier: AGPL-3.0-or-later
@@ -13,7 +13,7 @@
 matrix_bot_buscarron_enabled: true

 # renovate: datasource=docker depName=ghcr.io/etkecc/buscarron
-matrix_bot_buscarron_version: v1.4.3
+matrix_bot_buscarron_version: v1.5.0

 # The hostname at which Buscarron is served.
 matrix_bot_buscarron_hostname: ''
@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.2605.1
+matrix_mautrix_meta_instagram_version: v0.2606.0

 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.2605.1
+matrix_mautrix_meta_messenger_version: v0.2606.0

 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.2605.0
+matrix_mautrix_signal_version: v0.2606.0

 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_container_image: "{{ matrix_mautrix_signal_container_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_container_image_tag }}"
@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2605.0
+matrix_mautrix_slack_version: v0.2606.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_container_image: "{{ matrix_mautrix_slack_container_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_container_image_registry_prefix_upstream }}"
@@ -26,7 +26,7 @@ matrix_mautrix_telegram_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_telegram_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/telegram
-matrix_mautrix_telegram_version: v0.2605.0
+matrix_mautrix_telegram_version: v0.2606.0

 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_container_image: "{{ matrix_mautrix_telegram_container_image_registry_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2604.0
+matrix_mautrix_twitter_version: v0.2606.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_container_image: "{{ matrix_mautrix_twitter_container_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_container_image_registry_prefix_upstream }}"
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2605.0
+matrix_mautrix_whatsapp_version: v0.2606.0

 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_container_image: "{{ matrix_mautrix_whatsapp_container_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
@@ -0,0 +1,248 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+# matrix-bridge-rustpush is a Matrix <-> iMessage bridge using RustPush
+# Project source code URL: https://github.com/jasonlaguidice/imessage
+
+matrix_rustpush_bridge_enabled: false
+
+matrix_rustpush_bridge_container_image_self_build: false
+matrix_rustpush_bridge_container_image_self_build_repo: "https://github.com/jasonlaguidice/imessage.git"
+matrix_rustpush_bridge_container_image_self_build_repo_version: "{{ 'master' if matrix_rustpush_bridge_version == 'latest' else matrix_rustpush_bridge_version }}"
+
+# renovate: datasource=docker depName=ghcr.io/jasonlaguidice/imessage
+matrix_rustpush_bridge_version: v0.0.2
+matrix_rustpush_bridge_container_image: "{{ matrix_rustpush_bridge_container_image_registry_prefix }}jasonlaguidice/imessage:{{ matrix_rustpush_bridge_version }}"
+matrix_rustpush_bridge_container_image_registry_prefix: "{{ 'localhost/' if matrix_rustpush_bridge_container_image_self_build else matrix_rustpush_bridge_container_image_registry_prefix_upstream }}"
+matrix_rustpush_bridge_container_image_registry_prefix_upstream: "{{ matrix_rustpush_bridge_container_image_registry_prefix_upstream_default }}"
+matrix_rustpush_bridge_container_image_registry_prefix_upstream_default: "ghcr.io/"
+
+matrix_rustpush_bridge_base_path: "{{ matrix_base_data_path }}/matrix-rustpush-bridge"
+matrix_rustpush_bridge_config_path: "{{ matrix_rustpush_bridge_base_path }}/config"
+matrix_rustpush_bridge_data_path: "{{ matrix_rustpush_bridge_base_path }}/data"
+matrix_rustpush_bridge_container_src_files_path: "{{ matrix_rustpush_bridge_base_path }}/docker-src"
+
+matrix_rustpush_bridge_homeserver_address: ""
+# Whether asynchronous uploads via MSC2246 should be enabled for media.
+matrix_rustpush_bridge_homeserver_async_media: false
+matrix_rustpush_bridge_homeserver_domain: '{{ matrix_domain }}'
+matrix_rustpush_bridge_appservice_address: 'http://matrix-rustpush-bridge:8081'
+
+matrix_rustpush_bridge_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+matrix_rustpush_bridge_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
+
+# A public address that external services can use to reach this appservice.
+matrix_rustpush_bridge_appservice_public_address: ''
+
+# Displayname template for iMessage contacts.
+# Available variables: {{.FirstName}}, {{.LastName}}, {{.Nickname}},
+# {{.Phone}}, {{.Email}}, {{.ID}}
+matrix_rustpush_bridge_network_displayname_template: "{% raw %}{{if .FirstName}}{{.FirstName}}{{if .LastName}} {{.LastName}}{{end}}{{else if .Nickname}}{{.Nickname}}{{else if .Phone}}{{.Phone}}{{else if .Email}}{{.Email}}{{else}}{{.ID}}{{end}} (iMessage){% endraw %}"
+
+matrix_rustpush_bridge_cloudkit_backfill: true
+matrix_rustpush_bridge_video_transcoding: true
+matrix_rustpush_bridge_heic_conversion: true
+matrix_rustpush_bridge_disable_facetime: false
+matrix_rustpush_bridge_statuskit_notifications: true
+matrix_rustpush_bridge_statuskit_share_on_startup: true
+
+matrix_rustpush_bridge_bridge_command_prefix: "!im"
+
+matrix_rustpush_bridge_bridge_permissions: |
+  {{
+    {matrix_rustpush_bridge_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
+matrix_rustpush_bridge_container_network: ""
+
+matrix_rustpush_bridge_container_additional_networks: "{{ matrix_rustpush_bridge_container_additional_networks_auto + matrix_rustpush_bridge_container_additional_networks_custom }}"
+matrix_rustpush_bridge_container_additional_networks_auto: []
+matrix_rustpush_bridge_container_additional_networks_custom: []
+
+# matrix_rustpush_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_rustpush_bridge_container_labels_additional_labels`.
+matrix_rustpush_bridge_container_labels_traefik_enabled: true
+matrix_rustpush_bridge_container_labels_traefik_docker_network: "{{ matrix_rustpush_bridge_container_network }}"
+matrix_rustpush_bridge_container_labels_traefik_entrypoints: web-secure
+matrix_rustpush_bridge_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added that expose metrics
+matrix_rustpush_bridge_container_labels_metrics_enabled: "{{ matrix_rustpush_bridge_metrics_enabled and matrix_rustpush_bridge_metrics_proxying_enabled }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_rule: "Host(`{{ matrix_rustpush_bridge_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_rustpush_bridge_metrics_proxying_path_prefix }}`)"
+matrix_rustpush_bridge_container_labels_metrics_traefik_priority: 0
+matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints: "{{ matrix_rustpush_bridge_container_labels_traefik_entrypoints }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_tls: "{{ matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints != 'web' }}"
+matrix_rustpush_bridge_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_rustpush_bridge_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled: false
+# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users: ''
+
+# matrix_rustpush_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_rustpush_bridge_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_rustpush_bridge_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_rustpush_bridge_container_extra_arguments: []
+
+# Override the Rust log filter passed to the bridge container via RUST_LOG.
+# Leave empty to use the bridge's built-in default
+# ("warn,rustpush=warn,rustpushgo=info,open_absinthe=info").
+#
+# Useful values:
+#   "warn,rustpushgo=info,open_absinthe=debug"   # NAC emulator diagnostics (_enc field sizes, etc.)
+#   "warn,rustpushgo=info,open_absinthe=debug,rustpush=info"  # + upstream rustpush internals
+#   "debug"                                       # everything (very chatty)
+#
+# The open_absinthe crate logs NAC hardware-key diagnostics at INFO and emulator
+# state at DEBUG. These are suppressed by default to reduce log noise.
+matrix_rustpush_bridge_rust_log: ""
+
+# List of systemd services that matrix-rustpush-bridge.service depends on.
+matrix_rustpush_bridge_systemd_required_services_list: "{{ matrix_rustpush_bridge_systemd_required_services_list_default + matrix_rustpush_bridge_systemd_required_services_list_auto + matrix_rustpush_bridge_systemd_required_services_list_custom }}"
+matrix_rustpush_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_rustpush_bridge_systemd_required_services_list_auto: []
+matrix_rustpush_bridge_systemd_required_services_list_custom: []
+
+# List of systemd services that matrix-rustpush-bridge.service wants
+matrix_rustpush_bridge_systemd_wanted_services_list: []
+
+matrix_rustpush_bridge_appservice_token: ''
+matrix_rustpush_bridge_homeserver_token: ''
+
+# Whether or not created rooms should have federation enabled.
+# If false, created portal rooms will never be federated.
+matrix_rustpush_bridge_matrix_federate_rooms: false
+
+# Database-related configuration fields.
+#
+# To use Postgres:
+# - adjust your database credentials via the `matrix_rustpush_bridge_postgres_*` variables
+matrix_rustpush_bridge_database_engine: 'postgres'
+
+matrix_rustpush_bridge_database_username: 'matrix_rustpush_bridge'
+matrix_rustpush_bridge_database_password: 'some-password'
+matrix_rustpush_bridge_database_hostname: ''
+matrix_rustpush_bridge_database_port: 5432
+matrix_rustpush_bridge_database_name: 'matrix_rustpush_bridge'
+matrix_rustpush_bridge_database_sslmode: disable
+
+matrix_rustpush_bridge_database_connection_string: 'postgres://{{ matrix_rustpush_bridge_database_username }}:{{ matrix_rustpush_bridge_database_password }}@{{ matrix_rustpush_bridge_database_hostname }}:{{ matrix_rustpush_bridge_database_port }}/{{ matrix_rustpush_bridge_database_name }}?sslmode={{ matrix_rustpush_bridge_database_sslmode }}'
+
+matrix_rustpush_bridge_database_uri: "{{
+	{
+		'postgres': matrix_rustpush_bridge_database_connection_string,
+	}[matrix_rustpush_bridge_database_engine]
+}}"
+
+matrix_rustpush_bridge_double_puppet_secrets: "{{ matrix_rustpush_bridge_double_puppet_secrets_auto | combine(matrix_rustpush_bridge_double_puppet_secrets_custom) }}"
+matrix_rustpush_bridge_double_puppet_secrets_auto: {}
+matrix_rustpush_bridge_double_puppet_secrets_custom: {}
+
+matrix_rustpush_bridge_appservice_bot_username: rustpushbot
+matrix_rustpush_bridge_appservice_bot_displayname: RustPush bridge bot
+matrix_rustpush_bridge_appservice_bot_avatar: ''
+
+# Localpart template for MXIDs of remote (iMessage) users.
+# The `{{.}}` placeholder expands to the iMessage handle (phone/email).
+matrix_rustpush_bridge_appservice_username_template: "{% raw %}rustpush_{{.}}{% endraw %}"
+
+# Backfill is disabled by default because Linux Docker cannot access chat.db.
+# On macOS with Full Disk Access, this can be set to true.
+matrix_rustpush_bridge_backfill_enabled: false
+# Maximum number of messages to backfill in empty rooms
+matrix_rustpush_bridge_backfill_max_initial_messages: 50
+
+# Maximum number of missed messages to backfill after bridge restarts
+matrix_rustpush_bridge_backfill_max_catchup_messages: 500
+
+# How many days back to look for chats during initial sync.
+# Default in upstream is 365 (1 year). Set to 0 to disable.
+matrix_rustpush_bridge_initial_sync_days: 365
+
+# Shared secret for authentication of provisioning API requests.
+# If set to "disable", the provisioning API will be disabled.
+matrix_rustpush_bridge_provisioning_shared_secret: disable
+
+# Minimum severity of journal log messages.
+# Valid values: fatal, error, warn, info, debug, trace
+matrix_rustpush_bridge_logging_level: 'warn'
+
+# Whether or not metrics endpoint should be enabled.
+# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
+# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_rustpush_bridge_metrics_proxying_enabled`.
+matrix_rustpush_bridge_metrics_enabled: false
+
+# Controls whether metrics should be exposed on a public URL.
+matrix_rustpush_bridge_metrics_proxying_enabled: false
+matrix_rustpush_bridge_metrics_proxying_hostname: ''
+matrix_rustpush_bridge_metrics_proxying_path_prefix: ''
+
+# Default configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_rustpush_bridge_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_rustpush_bridge_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_rustpush_bridge_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_rustpush_bridge_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_rustpush_bridge_configuration_yaml`.
+
+matrix_rustpush_bridge_configuration_extension: "{{ matrix_rustpush_bridge_configuration_extension_yaml | from_yaml if matrix_rustpush_bridge_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_rustpush_bridge_configuration_yaml`.
+matrix_rustpush_bridge_configuration: "{{ matrix_rustpush_bridge_configuration_yaml | from_yaml | combine(matrix_rustpush_bridge_configuration_extension, recursive=True) }}"
+
+matrix_rustpush_bridge_registration_yaml: |
+  id: rustpush-bridge
+  as_token: "{{ matrix_rustpush_bridge_appservice_token }}"
+  hs_token: "{{ matrix_rustpush_bridge_homeserver_token }}"
+  namespaces:
+    users:
+    - exclusive: true
+      regex: '^@rustpush_.+:{{ matrix_rustpush_bridge_homeserver_domain | regex_escape }}$'
+    - exclusive: true
+      regex: '^@{{ matrix_rustpush_bridge_appservice_bot_username | regex_escape }}:{{ matrix_rustpush_bridge_homeserver_domain | regex_escape }}$'
+  url: {{ matrix_rustpush_bridge_appservice_address }}
+  sender_localpart: _bot_{{ matrix_rustpush_bridge_appservice_bot_username }}
+  rate_limited: false
+  de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_rustpush_bridge_msc4190_enabled | to_json }}
+
+matrix_rustpush_bridge_registration: "{{ matrix_rustpush_bridge_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_rustpush_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_rustpush_bridge_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
+matrix_rustpush_bridge_bridge_encryption_require: false
+matrix_rustpush_bridge_bridge_encryption_appservice: false
+matrix_rustpush_bridge_bridge_encryption_key_sharing_allow: "{{ matrix_rustpush_bridge_bridge_encryption_allow }}"
+matrix_rustpush_bridge_bridge_encryption_pickle_key: mautrix.bridge.e2ee
+
+# matrix_rustpush_bridge_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_rustpush_bridge_restart_necessary: false
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- tags:
+    - setup-all
+    - setup-rustpush-bridge
+    - install-all
+    - install-rustpush-bridge
+  block:
+    - when: matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-rustpush-bridge
+  block:
+    - when: not matrix_rustpush_bridge_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
@@ -0,0 +1,110 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure RustPush paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - {path: "{{ matrix_rustpush_bridge_base_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_config_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_data_path }}", when: true}
+    - {path: "{{ matrix_rustpush_bridge_container_src_files_path }}", when: "{{ matrix_rustpush_bridge_container_image_self_build }}"}
+  when: item.when | bool
+
+- name: Ensure RustPush repository is present on self-build
+  ansible.builtin.git:
+    repo: "{{ matrix_rustpush_bridge_container_image_self_build_repo }}"
+    version: "{{ matrix_rustpush_bridge_container_image_self_build_repo_version }}"
+    dest: "{{ matrix_rustpush_bridge_container_src_files_path }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_name }}"
+  register: matrix_rustpush_bridge_git_pull_results
+  when: "matrix_rustpush_bridge_enabled | bool and matrix_rustpush_bridge_container_image_self_build"
+
+- name: Ensure RustPush Docker image is built
+  community.docker.docker_image_build:
+    name: "{{ matrix_rustpush_bridge_container_image }}"
+    dockerfile: Dockerfile
+    path: "{{ matrix_rustpush_bridge_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_rustpush_bridge_git_pull_results.changed | bool else 'never' }}"
+    build_args:
+      BUILD_VERSION: "{{ matrix_rustpush_bridge_container_image_self_build_repo_version }}"
+      BUILD_COMMIT: "{{ matrix_rustpush_bridge_git_pull_results.after[:8] if matrix_rustpush_bridge_git_pull_results is defined and matrix_rustpush_bridge_git_pull_results.after is defined else 'unknown' }}"
+  register: matrix_rustpush_bridge_container_image_build_result
+  when: "matrix_rustpush_bridge_enabled | bool and matrix_rustpush_bridge_container_image_self_build | bool"
+
+- name: Ensure RustPush container image is pulled
+  community.docker.docker_image_pull:
+    name: "{{ matrix_rustpush_bridge_container_image }}"
+    pull: always
+  register: matrix_rustpush_bridge_container_image_pull_result
+  when: "matrix_rustpush_bridge_enabled | bool and not matrix_rustpush_bridge_container_image_self_build | bool"
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: matrix_rustpush_bridge_container_image_pull_result is not failed
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Ensure rustpush-bridge config.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_rustpush_bridge_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_rustpush_bridge_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_rustpush_bridge_config_result
+
+- name: Ensure rustpush-bridge registration.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_rustpush_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_rustpush_bridge_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_rustpush_bridge_registration_result
+
+- name: Ensure rustpush-bridge support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_rustpush_bridge_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - labels
+  register: matrix_rustpush_bridge_support_files_result
+
+- name: Ensure matrix-rustpush-bridge container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_rustpush_bridge_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure matrix-rustpush-bridge.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-rustpush-bridge.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+    mode: 0644
+  register: matrix_rustpush_bridge_systemd_service_result
+
+- name: Determine whether matrix-rustpush-bridge needs a restart
+  ansible.builtin.set_fact:
+    matrix_rustpush_bridge_restart_necessary: >-
+      {{
+        matrix_rustpush_bridge_config_result.changed | default(false)
+        or matrix_rustpush_bridge_registration_result.changed | default(false)
+        or matrix_rustpush_bridge_support_files_result.changed | default(false)
+        or matrix_rustpush_bridge_systemd_service_result.changed | default(false)
+        or matrix_rustpush_bridge_container_image_pull_result.changed | default(false)
+        or matrix_rustpush_bridge_container_image_build_result.changed | default(false)
+      }}
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check existence of matrix-rustpush-bridge service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+  register: matrix_rustpush_bridge_service_stat
+
+- when: matrix_rustpush_bridge_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-rustpush-bridge is stopped
+      ansible.builtin.service:
+        name: matrix-rustpush-bridge
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-rustpush-bridge.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rustpush-bridge.service"
+        state: absent
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Jason LaGuidice
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if required RustPush settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
+  with_items:
+    - {'name': 'matrix_rustpush_bridge_appservice_token', when: true}
+    - {'name': 'matrix_rustpush_bridge_homeserver_address', when: true}
+    - {'name': 'matrix_rustpush_bridge_homeserver_token', when: true}
+    - {'name': 'matrix_rustpush_bridge_database_hostname', when: "{{ matrix_rustpush_bridge_database_engine == 'postgres' }}"}
+    - {'name': 'matrix_rustpush_bridge_container_network', when: true}
+    - {'name': 'matrix_rustpush_bridge_metrics_proxying_hostname', when: "{{ matrix_rustpush_bridge_metrics_proxying_enabled }}"}
+    - {'name': 'matrix_rustpush_bridge_metrics_proxying_path_prefix', when: "{{ matrix_rustpush_bridge_metrics_proxying_enabled }}"}
@@ -0,0 +1,209 @@
+#jinja2: lstrip_blocks: True
+# Network-specific config options (iMessage via RustPush)
+network:
+    # Displayname template for iMessage contacts.
+    # Available variables:
+    # .FirstName, .LastName, .Nickname
+    # .Phone, .Email, .ID
+    displayname_template: {{ matrix_rustpush_bridge_network_displayname_template | to_json }}
+
+    # How many days back to look for chats during initial sync.
+    # Default is 365 (1 year). Set to 0 to use the default.
+    initial_sync_days: {{ matrix_rustpush_bridge_initial_sync_days | to_json }}
+
+    # Set to false to disable CloudKit backfill globally
+    cloudkit_backfill: {{ matrix_rustpush_bridge_cloudkit_backfill | to_json }}
+    backfill_source: cloudkit
+
+    # Enable or disable video transcoding
+    video_transcoding: {{ matrix_rustpush_bridge_video_transcoding | to_json }}
+
+    # Enable or disable HEIC conversion
+    heic_conversion: {{ matrix_rustpush_bridge_heic_conversion | to_json }}
+    heic_jpeg_quality: 95
+
+    # Set to true to disable Facetime support globally
+    disable_facetime: {{ matrix_rustpush_bridge_disable_facetime | to_json }}
+
+    # Set to false to disable Statuskit support globally
+    statuskit_notifications: {{ matrix_rustpush_bridge_statuskit_notifications | to_json }}
+    statuskit_share_on_startup: {{ matrix_rustpush_bridge_statuskit_share_on_startup | to_json }}
+
+# Config options that affect the central bridge module.
+bridge:
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: {{ matrix_rustpush_bridge_bridge_command_prefix | to_json }}
+    # Should the bridge create a space for each login containing the rooms that account is in?
+    personal_filtering_spaces: true
+    # Whether the bridge should set names and avatars explicitly for DM portals.
+    private_chat_portal_meta: true
+    # Should events be handled asynchronously within portal rooms?
+    async_events: false
+    # Should every user have their own portals rather than sharing them?
+    split_portals: false
+    # Should the bridge resend `m.bridge` events to all portals on startup?
+    resend_bridge_info: false
+
+    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
+    bridge_matrix_leave: false
+    # Should room tags only be synced when creating the portal?
+    tag_only_on_create: true
+    # List of tags to allow bridging.
+    only_bridge_tags: [m.favourite, m.lowpriority]
+    # Should room mute status only be synced when creating the portal?
+    mute_only_on_create: true
+
+    # What should be done to portal rooms when a user logs out or is logged out?
+    cleanup_on_logout:
+        enabled: false
+        manual:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+        bad_credentials:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+
+    # Settings for relay mode
+    relay:
+        enabled: false
+        admin_only: true
+        default_relays: []
+        message_formats:
+            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
+            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
+
+    # Permissions for using the bridge.
+    permissions: {{ matrix_rustpush_bridge_bridge_permissions | to_json }}
+
+# Config for the bridge's database.
+database:
+    type: postgres
+    uri: {{ matrix_rustpush_bridge_database_uri | to_json }}
+    max_open_conns: 5
+    max_idle_conns: 1
+    max_conn_idle_time: null
+    max_conn_lifetime: null
+
+# Homeserver details.
+homeserver:
+    address: {{ matrix_rustpush_bridge_homeserver_address | to_json }}
+    domain: {{ matrix_rustpush_bridge_homeserver_domain | to_json }}
+    software: standard
+    status_endpoint:
+    message_send_checkpoint_endpoint:
+    async_media: {{ matrix_rustpush_bridge_homeserver_async_media | to_json }}
+    websocket: false
+    ping_interval_seconds: 0
+
+# Application service host/registration related details.
+appservice:
+    address: {{ matrix_rustpush_bridge_appservice_address | to_json }}
+    public_address: {{ matrix_rustpush_bridge_appservice_public_address | to_json }}
+
+    hostname: 0.0.0.0
+    port: 8081
+
+    id: rustpush-bridge
+    bot:
+        username: {{ matrix_rustpush_bridge_appservice_bot_username | to_json }}
+        displayname: {{ matrix_rustpush_bridge_appservice_bot_displayname | to_json(ensure_ascii=False) }}
+        avatar: {{ matrix_rustpush_bridge_appservice_bot_avatar | to_json }}
+
+    ephemeral_events: true
+    async_transactions: false
+
+    as_token: {{ matrix_rustpush_bridge_appservice_token | to_json }}
+    hs_token: {{ matrix_rustpush_bridge_homeserver_token | to_json }}
+
+    # Localpart template of MXIDs for remote users.
+    username_template: {{ matrix_rustpush_bridge_appservice_username_template | to_json }}
+
+# Config options that affect the Matrix connector of the bridge.
+matrix:
+    message_status_events: false
+    delivery_receipts: false
+    message_error_notices: true
+    sync_direct_chat_list: true
+    federate_rooms: {{ matrix_rustpush_bridge_matrix_federate_rooms | to_json }}
+    upload_file_threshold: 5242880
+
+# Segment-compatible analytics endpoint for tracking some events.
+analytics:
+    token: null
+    url: https://api.segment.io/v1/track
+    user_id: null
+
+# Settings for provisioning API
+provisioning:
+    prefix: /_matrix/provision
+    shared_secret: {{ matrix_rustpush_bridge_provisioning_shared_secret | to_json }}
+    allow_matrix_auth: true
+    debug_endpoints: false
+
+# Settings for backfilling messages.
+backfill:
+    enabled: {{ matrix_rustpush_bridge_backfill_enabled | to_json }}
+    max_initial_messages: {{ matrix_rustpush_bridge_backfill_max_initial_messages | to_json }}
+    max_catchup_messages: {{ matrix_rustpush_bridge_backfill_max_catchup_messages | to_json }}
+    unread_hours_threshold: 720
+    threads:
+        max_initial_messages: 50
+    queue:
+        enabled: false
+        batch_size: 100
+        batch_delay: 20
+        max_batches: -1
+        max_batches_override: {}
+
+# Settings for enabling double puppeting
+double_puppet:
+    servers: {}
+    allow_discovery: false
+    secrets: {{ matrix_rustpush_bridge_double_puppet_secrets | to_json }}
+
+# End-to-bridge encryption support options.
+encryption:
+    allow: {{ matrix_rustpush_bridge_bridge_encryption_allow | to_json }}
+    default: {{ matrix_rustpush_bridge_bridge_encryption_default | to_json }}
+    require: {{ matrix_rustpush_bridge_bridge_encryption_require | to_json }}
+    appservice: {{ matrix_rustpush_bridge_bridge_encryption_appservice | to_json }}
+    msc4190: {{ matrix_rustpush_bridge_msc4190_enabled | to_json }}
+    self_sign: {{ matrix_rustpush_bridge_self_sign_enabled | to_json }}
+    allow_key_sharing: {{ matrix_rustpush_bridge_bridge_encryption_key_sharing_allow | to_json }}
+    pickle_key: {{ matrix_rustpush_bridge_bridge_encryption_pickle_key | to_json }}
+    delete_keys:
+        delete_outbound_on_ack: false
+        dont_store_outbound: false
+        ratchet_on_decrypt: false
+        delete_fully_used_on_decrypt: false
+        delete_prev_on_new_session: false
+        delete_on_device_delete: false
+        periodically_delete_expired: false
+        delete_outdated_inbound: false
+    verification_levels:
+        receive: unverified
+        send: unverified
+        share: cross-signed-tofu
+    rotation:
+        enable_custom: false
+        milliseconds: 604800000
+        messages: 100
+        disable_device_change_key_rotation: false
+
+# Logging config.
+logging:
+    min_level: {{ matrix_rustpush_bridge_logging_level | to_json }}
+    writers:
+        - type: stdout
+          format: pretty-colored
@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
@@ -0,0 +1,53 @@
+{#
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_rustpush_bridge_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_rustpush_bridge_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_rustpush_bridge_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-rustpush-bridge-metrics.loadbalancer.server.port=8000
+
+{% if matrix_rustpush_bridge_container_labels_metrics_enabled %}
+############################################################
+#                                                          #
+# Metrics                                                  #
+#                                                          #
+############################################################
+
+{% if matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_enabled %}
+traefik.http.middlewares.matrix-rustpush-bridge-metrics-basic-auth.basicauth.users={{ matrix_rustpush_bridge_container_labels_metrics_middleware_basic_auth_users }}
+traefik.http.routers.matrix-rustpush-bridge-metrics.middlewares=matrix-rustpush-bridge-metrics-basic-auth
+{% endif %}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.rule={{ matrix_rustpush_bridge_container_labels_metrics_traefik_rule }}
+
+{% if matrix_rustpush_bridge_container_labels_metrics_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-rustpush-bridge-metrics.priority={{ matrix_rustpush_bridge_container_labels_metrics_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.service=matrix-rustpush-bridge-metrics
+traefik.http.routers.matrix-rustpush-bridge-metrics.entrypoints={{ matrix_rustpush_bridge_container_labels_metrics_traefik_entrypoints }}
+
+traefik.http.routers.matrix-rustpush-bridge-metrics.tls={{ matrix_rustpush_bridge_container_labels_metrics_traefik_tls | to_json }}
+{% if matrix_rustpush_bridge_container_labels_metrics_traefik_tls %}
+traefik.http.routers.matrix-rustpush-bridge-metrics.tls.certResolver={{ matrix_rustpush_bridge_container_labels_metrics_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Metrics                                                 #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% endif %}
+
+{{ matrix_rustpush_bridge_container_labels_additional_labels }}
@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
@@ -0,0 +1,51 @@
+#jinja2: lstrip_blocks: True
+[Unit]
+Description=Matrix RustPush bridge
+{% for service in matrix_rustpush_bridge_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_rustpush_bridge_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-rustpush-bridge 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rustpush-bridge 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-rustpush-bridge \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_rustpush_bridge_container_network }} \
+			--env HOME=/data \
+{% if matrix_rustpush_bridge_rust_log %}			--env RUST_LOG={{ matrix_rustpush_bridge_rust_log }} \
+{% endif %}			--mount type=bind,src={{ matrix_rustpush_bridge_config_path }},dst=/config \
+			--mount type=bind,src={{ matrix_rustpush_bridge_data_path }},dst=/data \
+			--label-file={{ matrix_rustpush_bridge_base_path }}/labels \
+			--entrypoint /usr/local/bin/matrix-rustpush \
+			{% for arg in matrix_rustpush_bridge_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_rustpush_bridge_container_image }} \
+			-c /config/config.yaml -r /config/registration.yaml
+
+{% for network in matrix_rustpush_bridge_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-rustpush-bridge
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-rustpush-bridge
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-rustpush-bridge 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rustpush-bridge 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-rustpush-bridge
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason LaGuidice
+
+SPDX-License-Identifier: AGPL-3.0-or-later
@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"

 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.21
+matrix_client_element_version: v1.12.22

 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"
@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"

 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.5.1
+matrix_client_fluffychat_version: v2.7.2
 matrix_client_fluffychat_container_image: "{{ matrix_client_fluffychat_container_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_container_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_container_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_container_image_registry_prefix_upstream_default }}"
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@@ -13,7 +14,7 @@ matrix_continuwuity_enabled: true
 matrix_continuwuity_hostname: ''

 # renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
-matrix_continuwuity_version: v0.5.9
+matrix_continuwuity_version: v0.5.10

 matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
 matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"
@@ -190,7 +191,9 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true

-# If set, registration will require Google ReCAPTCHA verification.
+# Configuring both of these settings makes registration require Google ReCAPTCHA verification.
+# Both must be set together (or both left empty). Setting only one of them is a configuration error.
+# When both are set, ReCAPTCHA gets enabled automatically (see `matrix_continuwuity_recaptcha_enabled` in `vars/main.yml`).
 matrix_continuwuity_config_recaptcha_site_key: ''
 matrix_continuwuity_config_recaptcha_private_site_key: ''

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@@ -36,3 +37,11 @@
    - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream_default', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_continuwuity_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
+
+- name: Fail if Continuwuity ReCAPTCHA is only partially configured
+  ansible.builtin.fail:
+    msg: >-
+      You have configured only one of `matrix_continuwuity_config_recaptcha_site_key` and
+      `matrix_continuwuity_config_recaptcha_private_site_key`. Configure both to enable ReCAPTCHA
+      registration, or leave both empty to disable it.
+  when: "(matrix_continuwuity_config_recaptcha_site_key | string | length > 0) != (matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0)"
@@ -2,6 +2,7 @@
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-FileCopyrightText: 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2025 Suguru Hirahara
+SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -490,6 +491,7 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 #
 #registration_token_file =

+{% if matrix_continuwuity_recaptcha_enabled %}
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -509,6 +511,7 @@ recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json
 # even if `recaptcha_site_key` is set.
 #
 recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
+{% endif %}

 # Controls whether encrypted rooms and events are allowed.
 #
@@ -1,9 +1,15 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

+# Continuwuity has no dedicated "enable ReCAPTCHA" setting. It enables ReCAPTCHA registration based on the
+# presence of a recaptcha private site key, so we only render the keys when both have been configured.
+# This avoids rendering empty keys, which would otherwise enable a broken ReCAPTCHA flow.
+matrix_continuwuity_recaptcha_enabled: "{{ matrix_continuwuity_config_recaptcha_site_key | string | length > 0 and matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0 }}"
+
 matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions"
 matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"
@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true

 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.11
+matrix_element_admin_version: 0.1.12

 matrix_element_admin_scheme: https

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"

 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.20.1
+matrix_element_call_version: v0.20.2

 matrix_element_call_scheme: https

@@ -27,7 +27,7 @@ matrix_ketesa_container_image_self_build: false
 matrix_ketesa_container_image_self_build_repo: "https://github.com/etkecc/ketesa.git"

 # renovate: datasource=docker depName=ghcr.io/etkecc/ketesa
-matrix_ketesa_version: v1.2.1
+matrix_ketesa_version: v1.3.0
 matrix_ketesa_container_image: "{{ matrix_ketesa_container_image_registry_prefix }}etkecc/ketesa:{{ matrix_ketesa_version }}"
 matrix_ketesa_container_image_registry_prefix: "{{ 'localhost/' if matrix_ketesa_container_image_self_build else matrix_ketesa_container_image_registry_prefix_upstream }}"
 matrix_ketesa_container_image_registry_prefix_upstream: "{{ matrix_ketesa_container_image_registry_prefix_upstream_default }}"
@@ -125,3 +125,14 @@ matrix_livekit_jwt_service_systemd_required_services_list_custom: []
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 matrix_livekit_jwt_service_restart_necessary: false
+
+# Support additional container arguments for the LiveKit JWT service
+matrix_livekit_jwt_service_container_additional_arguments: []
+
+# A list of additional "volumes" to mount in the container.
+# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
+# See the `--mount` documentation for the `docker run` command.
+# Note: internally, this uses the `--mount` flag for mounting the specified volumes.
+matrix_livekit_jwt_service_container_additional_volumes: "{{ matrix_livekit_jwt_service_container_additional_volumes_auto + matrix_livekit_jwt_service_container_additional_volumes_custom }}"
+matrix_livekit_jwt_service_container_additional_volumes_auto: []
+matrix_livekit_jwt_service_container_additional_volumes_custom: []
@@ -22,6 +22,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
    {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_container_port }} \
    {% endif %}
+    {% for volume in matrix_livekit_jwt_service_container_additional_volumes %}
+    --mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
+    {% endfor %}
+    {% for arg in matrix_livekit_jwt_service_container_additional_arguments %}
+    {{ arg }} \
+    {% endfor %}
    --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
    --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \
    {{ matrix_livekit_jwt_service_container_image }}
@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse

 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.154.0
+matrix_synapse_version: v1.155.0

 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1852,7 +1852,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"

 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.31.1-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.31.2-alpine

 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''

 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
-matrix_tuwunel_version: v1.7.1
+matrix_tuwunel_version: v1.8.0

 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,43 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []

+# List of IPv4/IPv6 CIDR ranges tuwunel refuses to send outbound requests to (SSRF protection).
+# This applies to push gateway delivery, URL previews, and remote media fetches.
+# Bridges/appservices use a separate resolver and are not affected.
+#
+# The default mirrors tuwunel's own upstream default, which denies RFC1918,
+# loopback, multicast, and other unroutable/testnet ranges.
+#
+# To deny additional ranges, append to `matrix_tuwunel_config_ip_range_denylist_custom`.
+# To permit a range that the default denies (e.g. if you run a push gateway like a
+# localhost Sygnal or a LAN ntfy/UnifiedPush server on a private/loopback address, to
+# which push delivery would otherwise be silently blocked), override
+# `matrix_tuwunel_config_ip_range_denylist_default` with a trimmed list.
+# Set the whole list to `[]` to disable denylisting entirely.
+matrix_tuwunel_config_ip_range_denylist: "{{ matrix_tuwunel_config_ip_range_denylist_default + matrix_tuwunel_config_ip_range_denylist_auto + matrix_tuwunel_config_ip_range_denylist_custom }}"
+matrix_tuwunel_config_ip_range_denylist_default:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '192.0.0.0/24'
+  - '169.254.0.0/16'
+  - '192.88.99.0/24'
+  - '198.18.0.0/15'
+  - '192.0.2.0/24'
+  - '198.51.100.0/24'
+  - '203.0.113.0/24'
+  - '224.0.0.0/4'
+  - '::1/128'
+  - 'fe80::/10'
+  - 'fc00::/7'
+  - '2001:db8::/32'
+  - 'ff00::/8'
+  - 'fec0::/10'
+matrix_tuwunel_config_ip_range_denylist_auto: []
+matrix_tuwunel_config_ip_range_denylist_custom: []
+
 # MSC4284 policy server enforcement.
 # When enabled, rooms with a valid `m.room.policy` state event will have
 # outgoing events signed by the configured policy server before federation.
@@ -56,6 +56,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 {% if matrix_tuwunel_config_prevent_media_downloads_from | length > 0 %}
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}
+ip_range_denylist = {{ matrix_tuwunel_config_ip_range_denylist | to_json }}

 enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
 policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}
@@ -71,6 +71,7 @@
    - custom/matrix-bridge-mautrix-discord
    - custom/matrix-bridge-mautrix-slack
    - custom/matrix-bridge-mautrix-bluesky
+    - custom/matrix-bridge-rustpush
    - custom/matrix-bridge-mx-puppet-groupme
    - custom/matrix-bridge-mx-puppet-steam
    - custom/matrix-bridge-postmoogle
Author	SHA1	Message	Date
Aine	cf396e5558	baibot: add venice wiring	2026-06-28 16:34:06 +01:00
Aine	3fed0f1bb4	add link to Ketesa website <https://ketesa.app >	2026-06-28 11:02:51 +01:00
Slavi Pantaleev	e43add179b	Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default) As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway delivery as well, so surface it as an Ansible variable using the default/auto/custom merge pattern. The default mirrors tuwunel's own upstream denylist (RFC1918, loopback, multicast, and other unroutable ranges), matching the identical list already used for Synapse's matrix_synapse_url_preview_ip_range_blacklist. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 20:39:16 +03:00
renovate[bot]	129d4e74b4	Update ghcr.io/matrix-construct/tuwunel Docker tag to v1.8.0	2026-06-27 20:17:09 +03:00
renovate[bot]	5c390e137f	Update dependency livekit_server to v1.13.2-0	2026-06-27 18:17:06 +03:00
renovate[bot]	682eb2c280	Update ghcr.io/etkecc/baibot Docker tag to v1.24.0	2026-06-26 17:30:34 +03:00
Jason LaGuidice	4fae640b6c	Add renovate and bump version	2026-06-26 07:05:13 +03:00
renovate[bot]	adcae966ed	Update dependency ntfy to v2.25.0-0	2026-06-25 07:41:39 +03:00
renovate[bot]	0a46beb76c	Update dependency click to v8.4.2	2026-06-24 21:48:37 +03:00
renovate[bot]	7bee5f06dc	Update oci.element.io/element-admin Docker tag to v0.1.12	2026-06-24 21:44:11 +03:00
renovate[bot]	b67f7bd3fe	Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.6.24	2026-06-24 16:39:58 +03:00
Slavi Pantaleev	08c733d2e3	matrix-bridge-rustpush: build from upstream's own Dockerfile on self-build The role shipped its own copy of the bridge's Dockerfile and templated it over the cloned source before building. That copy had already drifted from upstream (e.g. missing libheif-plugin-libde265) and required separate maintenance (Renovate bumping the base image here instead of upstream). Build from the cloned repo's own Dockerfile instead, matching every other self-build role (e.g. matrix-bridge-steam). The Dockerfile now tracks the pinned bridge version automatically. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-24 12:13:04 +03:00
Slavi Pantaleev	424c323d03	Announce matrix-rustpush-bridge (iMessage) in the changelog Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-24 11:45:20 +03:00
Jason LaGuidice	11cd178cb2	Add matrix-rustpush-bridge (iMessage) Add the matrix-rustpush-bridge role, a Matrix <-> iMessage bridge built on the mautrix-go bridgev2 framework using RustPush (OpenBubbles backend). Unlike the existing mautrix-imessage/wsproxy bridge, it talks directly to Apple's push notification service, so it needs neither a running Mac nor a wsproxy on the homeserver. Each user supplies a hardware key extracted from a Mac through the bridge bot's login flow. The bridge uses its own bot username and puppet namespace (rustpushbot, rustpush_*) so it does not collide with the wsproxy iMessage bridge. This bridge is in early development and may have stability issues.	2026-06-24 11:17:09 +03:00
Aine	6f57ab8ba1	Baibot v1.23.1 <https://github.com/etkecc/baibot/blob/main/CHANGELOG.md#2026-06-24-version-1231 >	2026-06-24 07:28:07 +01:00
Slavi Pantaleev	4f00ad9bd4	Add support for additional volumes for the livekit-jwt-service component Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-24 07:38:22 +03:00
Hollie Hutchinson	753f8ca7db	Support additional container arguments for matrix-livekit-jwt	2026-06-24 07:36:36 +03:00
renovate[bot]	d06094ffc3	Update ghcr.io/element-hq/element-web Docker tag to v1.12.22	2026-06-24 07:31:58 +03:00
dependabot[bot]	dd37011ffb	Bump actions/cache from 5 to 6 Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-24 07:31:47 +03:00
renovate[bot]	e3b37ac350	Update ghcr.io/etkecc/baibot Docker tag to v1.23.0 (#5353 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-23 07:22:40 +01:00
renovate[bot]	be68aaa870	Update dependency grafana to v13	2026-06-23 09:22:25 +03:00
renovate[bot]	36e94e4df7	Update ghcr.io/etkecc/fluffychat-web Docker tag to v2.7.2 (#5352 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-22 18:13:41 +01:00
renovate[bot]	37d8cf4f2c	Update ghcr.io/element-hq/element-call Docker tag to v0.20.2 (#5351 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-22 18:13:17 +01:00
renovate[bot]	fd340a14f9	Update dependency cinny to v4.12.3-0 (#5350 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-06-22 18:12:55 +01:00
LunarFox	73f8ca75b3	Update readme for NPM NPM "Proxy Hosts" page is only for http/https 80/443 - it is not possible to add a name such as "matrix.example.com:port". Instead, the Streams page might work for what is intended here (federation traffic) - to proxy stream anything on 8448 to 8449.	2026-06-22 10:11:54 +03:00
Aine	81e156b4bf	rollback etherpad to v2.7.2 (v2.7.3 is broken)	2026-06-21 13:40:23 +01:00
Aine	6ee65072ef	FluffyChat v2.7.0 <https://github.com/krille-chan/fluffychat/blob/main/CHANGELOG.md#v270 >	2026-06-21 11:45:59 +01:00
renovate[bot]	8b13017281	Update ghcr.io/etkecc/baibot Docker tag to v1.22.0	2026-06-21 09:10:18 +03:00
renovate[bot]	e0f37e3912	Update forgejo.ellis.link/continuwuation/continuwuity Docker tag to v0.5.10	2026-06-20 21:15:40 +03:00
Aine	4ff28586f4	Ketesa v1.3.0 <https://github.com/etkecc/ketesa/releases/tag/v1.3.0 >	2026-06-19 19:56:25 +01:00
Catalan Lover	19bcdc78fd	Gate Continuwuity ReCAPTCHA config on both keys being configured Continuwuity has no native enable-captcha toggle; it enables the ReCAPTCHA registration flow based on the presence of a private site key. The playbook previously always rendered empty `recaptcha_site_key`/`recaptcha_private_site_key` values, which made Continuwuity enable a broken captcha flow and break registration in some clients. The keys are now only rendered when both are configured, gated by a derived `matrix_continuwuity_recaptcha_enabled` flag in the role's `vars/main.yml`. A consistency check fails the play when exactly one of the two keys is set. Fixes #5329 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-19 06:24:06 +03:00
renovate[bot]	914dd3ed62	Update actions/checkout action to v7	2026-06-19 05:51:12 +03:00
renovate[bot]	3250de7842	Update dependency sable to v1.18.3-0	2026-06-18 10:10:27 +03:00
renovate[bot]	af4d379573	Update dependency certifi to v2026.6.17	2026-06-18 09:58:58 +03:00
renovate[bot]	12e63739b9	Update ghcr.io/element-hq/matrix-authentication-service Docker tag to v1.19.0	2026-06-18 09:58:41 +03:00
renovate[bot]	6b76368a9c	Update nginx Docker tag to v1.31.2	2026-06-18 09:56:48 +03:00
renovate[bot]	b87fcc4674	Update ghcr.io/etkecc/buscarron Docker tag to v1.5.0	2026-06-18 09:56:34 +03:00
renovate[bot]	00e5aed0eb	Update dependency sable to v1.18.2-0	2026-06-17 21:09:47 +03:00
renovate[bot]	6926a04e07	Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.6.17	2026-06-17 21:09:15 +03:00
renovate[bot]	50408d699f	Update dock.mau.dev/mautrix/meta Docker tag to v0.2606.0	2026-06-17 06:20:14 +03:00
renovate[bot]	4bf6093a5d	Update ghcr.io/element-hq/synapse Docker tag to v1.155.0	2026-06-17 06:20:05 +03:00
renovate[bot]	f0fb23dfa9	Update dock.mau.dev/mautrix/signal Docker tag to v0.2606.0	2026-06-17 06:18:38 +03:00
renovate[bot]	8e41f04368	Update dock.mau.dev/mautrix/slack Docker tag to v0.2606.0	2026-06-17 06:18:29 +03:00
renovate[bot]	b863de00e8	Update dock.mau.dev/mautrix/telegram Docker tag to v0.2606.0	2026-06-17 06:18:21 +03:00
renovate[bot]	4f5904db0a	Update dock.mau.dev/mautrix/whatsapp Docker tag to v0.2606.0	2026-06-17 06:18:13 +03:00
renovate[bot]	802f687513	Update dock.mau.dev/mautrix/twitter Docker tag to v0.2606.0	2026-06-17 06:18:02 +03:00
renovate[bot]	b7b5dbf9c7	Update dependency traefik_certs_dumper to v2.11.4-0	2026-06-16 12:34:02 +03:00
renovate[bot]	a79b8034e6	Update dependency prek to v0.4.5	2026-06-15 17:36:58 +03:00
renovate[bot]	9acdc445a8	Update dependency sable to v1.18.1-0	2026-06-15 09:22:05 +03:00
Slavi Pantaleev	731804ba32	Update LiveKit Server (v1.12.0-0 → v1.13.1-0) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 08:50:34 +03:00