From 5bb8a36f341ebfc85051ab86ea078333621e260f Mon Sep 17 00:00:00 2001
From: Catalan Lover <catalanlover@protonmail.com>
Date: Wed, 12 Mar 2025 21:51:21 +0100
Subject: [PATCH 01/11] Update Mjolnir Anti Spam module to latest and add
 Renovate

---
 roles/custom/matrix-synapse/defaults/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 29338cf31..9147e127d 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1331,7 +1331,8 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeserve
 # See: https://github.com/matrix-org/mjolnir#synapse-module
 matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir"
-matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.6.4"
+# renovate: datasource=docker depName=matrixdotorg/mjolnir
+matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.9.2"
 matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
 # Flag messages sent by servers/users in the ban lists as spam. Currently
 # this means that spammy messages will appear as empty to users. Default

From dc581d0b7aaae11cf6cdd9bbf2a9c73bc0d3b22f Mon Sep 17 00:00:00 2001
From: Suguru Hirahara <luixxiul@users.noreply.github.com>
Date: Thu, 13 Mar 2025 05:04:56 +0000
Subject: [PATCH 02/11] Add ensure-users-created to the list of available tags
 on playbook-tags.md (#4169)

---
 docs/playbook-tags.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/playbook-tags.md b/docs/playbook-tags.md
index 42d2354d6..48e61f73c 100644
--- a/docs/playbook-tags.md
+++ b/docs/playbook-tags.md
@@ -27,7 +27,7 @@ Here are some playbook tags that you should be familiar with:
 
 - `stop` — stops all systemd services
 
-- `ensure-matrix-users-created` — a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created
+- `ensure-matrix-users-created` or its alias `ensure-users-created` — a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created
 
 **Notes**:
 - `setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc.

From 0086ae7f58b39ab8f39af5b2df3b6ee83cf08a92 Mon Sep 17 00:00:00 2001
From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com>
Date: Thu, 13 Mar 2025 19:20:09 +0100
Subject: [PATCH 03/11] Update D4A Configuration (#4166)

* Update D4A Configuration

D4A had some breaking config changes so this commit fixes them and gets us back into compliance with upstream. And since we run in a docker container we can use the /data/storage default.

* Update D4A Configuration to harmonise with bot mode

Change the default config for D4A to align with bot mode default in mdad. This should also avert a bit of a mess of a potential bug.

* Change D4A Room State Backing Store variable name and fix SPDX Headers

* Align D4A config with new schema

* Fix D4A Config Lint Error

* Update D4A SPDX Entries

* Do not use double quotes around `to_json` values

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
---
 .../defaults/main.yml                          | 13 +++++++------
 .../tasks/main.yml                             |  1 +
 .../tasks/setup_install.yml                    |  1 +
 .../tasks/setup_uninstall.yml                  |  1 +
 .../tasks/validate_config.yml                  |  3 +++
 .../templates/production-appservice.yaml.j2    |  9 ++++++++-
 .../templates/production-bots.yaml.j2          | 18 ++++++++++++++++++
 ...service-draupnir-for-all.service.j2.license |  1 +
 8 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
index a1eebf5af..17e415f6c 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -1,4 +1,5 @@
-# SPDX-FileCopyrightText: 2024 - 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -51,12 +52,12 @@ matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 # This room is diffrent for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
-matrix_appservice_draupnir_for_all_master_control_room_alias: ""
+matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming
 
-# Placeholder Remenant of the fact that Cat belived Master Control Room to be separated from Access Control Policy List.
-# The alias of the Policy list used to control who can provision a bot for them selfs.
-# This should be a room alias - not a matrix.to URL.
-# matrix_appservice_draupnir_for_all_management_policy_list_alias: ""
+# Controls if the room state backing store is activated.
+# Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
+# This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
+matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled: false  # noqa var-naming
 
 matrix_appservice_draupnir_for_all_database_username: matrix_appservice_draupnir_for_all
 matrix_appservice_draupnir_for_all_database_password: 'some-passsword'
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml
index 5e4af332b..51f5fe4f2 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
index e4d51b7f7..12781f5dc 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml
index da78634d6..4ad172539 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
index 8d8d1168c..72f86a7ef 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
@@ -22,3 +23,5 @@
   when: "item.old in vars"
   with_items:
     - {'old': 'matrix_appservice_draupnir_for_all_docker_image_name_prefix', 'new': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix'}
+    - {'old': 'matrix_appservice_draupnir_for_all_enable_room_state_backing_store', 'new': 'matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled'}
+    - {'old': 'matrix_appservice_draupnir_for_all_master_control_room_alias', 'new': 'matrix_appservice_draupnir_for_all_config_adminRoom'}
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2 b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
index 346b57e96..ea168dac9 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2024 MDAD project contributors
+SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Suguru Hirahara
 
 SPDX-License-Identifier: AGPL-3.0-or-later
@@ -18,8 +19,14 @@ db:
 
 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
-adminRoom: "{{ matrix_appservice_draupnir_for_all_master_control_room_alias }}"
+adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}
 
 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
   port: 9000
+
+# The directory the bot should store various bits of information in
+dataPath: "/data"
+
+roomStateBackingStore:
+  enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2 b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
index de581ed8e..63eb20b22 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2024 MDAD project contributors
+SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -73,3 +74,20 @@ commands:
       - "brigading"
       - "harassment"
       - "disagreement"
+
+# Safe mode provides recovery options for some failure modes when Draupnir
+# fails to start. For example, if the bot fails to resolve a room alias in
+# a watched list, or if the server has parted from a protected room and can't
+# find a way back in. Safe mode will provide different options to recover from
+# these. Such as unprotecting the room or unwatching the policy list.
+# By default Draupnir will boot into safe mode only when the failure mode
+# is recoverable.
+# It may be desirable to prevent the bot from starting into safe mode if you have
+# a pager system when Draupnir is down, as Draupnir could prevent your monitoring
+# system from identifying a failure to start.
+#safeMode:
+#  # The option for entering safe mode when Draupnir fails to start up.
+#  # - "RecoveryOnly" will only start the bot in safe mode when there are recovery options available. This is the default.
+#  # - "Never" will never start the bot in safe mode when Draupnir fails to start normally.
+#  # - "Always" will always start the bot in safe mode when Draupnir fails to start normally.
+#  bootOption: RecoveryOnly
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license b/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license
index c66c5baed..b39d4ce53 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license
@@ -1,4 +1,5 @@
 SPDX-FileCopyrightText: 2024 MDAD project contributors
+SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 
 SPDX-License-Identifier: AGPL-3.0-or-later

From 166f4127837ce1debfb7d60268255e08539b4a98 Mon Sep 17 00:00:00 2001
From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com>
Date: Thu, 13 Mar 2025 19:25:30 +0100
Subject: [PATCH 04/11] Modernise Draupnir Configuration Variable Names (#4170)

* Modernise Draupnir Configuration Variable Names

* Move Draupnir deprecation-check task before undefined-variables-check

* Fix trailing spaces in Draupnir's `validate_config.yml`

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
---
 docs/configuring-playbook-bot-draupnir.md     | 10 ++---
 group_vars/matrix_servers                     |  6 +--
 group_vars/matrix_servers.license             |  2 +-
 .../matrix-bot-draupnir/defaults/main.yml     | 25 ++++++-----
 .../custom/matrix-bot-draupnir/tasks/main.yml |  1 +
 .../tasks/setup_install.yml                   |  1 +
 .../tasks/setup_uninstall.yml                 |  1 +
 .../tasks/validate_config.yml                 | 43 ++++++++++++-------
 .../templates/production.yaml.j2              | 21 ++++-----
 .../matrix-bot-draupnir.service.j2.license    |  1 +
 10 files changed, 65 insertions(+), 46 deletions(-)

diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md
index 92f5c5969..8465dcbd8 100644
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -58,7 +58,7 @@ matrix_bot_draupnir_enable_experimental_rust_crypto: true
 
 # Access token which the bot will use for logging in.
 # Comment out `matrix_bot_draupnir_login_native` when using this option.
-matrix_bot_draupnir_access_token: "CLEAN_ACCESS_TOKEN_HERE"
+matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"
 ```
 
 ## Adjusting the playbook configuration
@@ -73,13 +73,13 @@ matrix_bot_draupnir_enabled: true
 # matrix_bot_draupnir_login: bot.draupnir
 
 # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
-# If creating the user on your own and using `matrix_bot_draupnir_access_token` to login you can comment out this line.
+# If creating the user on your own and using `matrix_bot_draupnir_config_accessToken` to login you can comment out this line.
 matrix_bot_draupnir_password: PASSWORD_FOR_THE_BOT
 
-# Comment out if using `matrix_bot_draupnir_enable_experimental_rust_crypto: true` or `matrix_bot_draupnir_access_token` to login.
+# Comment out if using `matrix_bot_draupnir_enable_experimental_rust_crypto: true` or `matrix_bot_draupnir_config_accessToken` to login.
 matrix_bot_draupnir_login_native: true
 
-matrix_bot_draupnir_management_room: "MANAGEMENT_ROOM_ID_HERE"
+matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
 ```
 
 ### Create and invite the bot to the management room
@@ -142,7 +142,7 @@ Draupnir can receive reports in the management room.
 The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:
 
 ```yaml
-matrix_bot_draupnir_abuse_reporting_enabled: true
+matrix_bot_draupnir_config_web_abuseReporting: true
 ```
 
 <!--
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 512f6cb93..d5f3fb5cf 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -3188,10 +3188,10 @@ matrix_bot_draupnir_container_additional_networks_auto: |-
     ) | unique
   }}
 
-matrix_bot_draupnir_homeserver_url: "{{ 'http://matrix-pantalaimon:8009' if matrix_bot_draupnir_pantalaimon_use else matrix_addons_homeserver_client_api_url }}"
-matrix_bot_draupnir_raw_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
+matrix_bot_draupnir_config_homeserverUrl: "{{ 'http://matrix-pantalaimon:8009' if matrix_bot_draupnir_pantalaimon_use else matrix_addons_homeserver_client_api_url }}"  # noqa var-naming
+matrix_bot_draupnir_config_rawHomeserverUrl: "{{ matrix_addons_homeserver_client_api_url }}"  # noqa var-naming
 
-matrix_bot_draupnir_container_labels_traefik_enabled: "{{ matrix_bot_draupnir_web_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_bot_draupnir_container_labels_traefik_enabled: "{{ matrix_bot_draupnir_config_web_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_bot_draupnir_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_bot_draupnir_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
diff --git a/group_vars/matrix_servers.license b/group_vars/matrix_servers.license
index 1325849fc..1cffee2cc 100644
--- a/group_vars/matrix_servers.license
+++ b/group_vars/matrix_servers.license
@@ -52,7 +52,7 @@ SPDX-FileCopyrightText: 2023 - 2024 Michael Hollister
 SPDX-FileCopyrightText: 2023 - 2024 Pierre 'McFly' Marty
 SPDX-FileCopyrightText: 2023 Antonis Christofides
 SPDX-FileCopyrightText: 2023 Benjamin Kampmann
-SPDX-FileCopyrightText: 2023 Catalan Lover
+SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2023 Cody Wyatt Neiman
 SPDX-FileCopyrightText: 2023 Johan Swetzén
 SPDX-FileCopyrightText: 2023 Kabir Kwatra
diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml
index 8bb6ae8b4..31ade1be0 100644
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
@@ -27,9 +28,9 @@ matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
 
-matrix_bot_draupnir_abuse_reporting_enabled: false
-matrix_bot_draupnir_web_enabled: "{{ matrix_bot_draupnir_abuse_reporting_enabled }}"
-matrix_bot_draupnir_display_reports: "{{ matrix_bot_draupnir_abuse_reporting_enabled }}"
+matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
+matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming
+matrix_bot_draupnir_config_displayReports: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming
 
 matrix_bot_draupnir_container_network: ""
 
@@ -56,7 +57,7 @@ matrix_bot_draupnir_systemd_wanted_services_list: []
 
 # Whether Draupnir should talk to the homeserver through Pantalaimon
 # If true, then other variables must be provided including pointing
-# `matrix_bot_draupnir_homeserver_url` to the Pantalaimon URL.
+# `matrix_bot_draupnir_config_homeserverUrl` to the Pantalaimon URL.
 #
 # The upstream project discourages enabling this option, because it is
 # known that running Draupnir along with Pantalaimon breaks all workflows that involve
@@ -74,35 +75,37 @@ matrix_bot_draupnir_enable_experimental_rust_crypto: false
 
 # The access token for the bot user. Required if Pantalaimon is NOT used.
 # (Otherwise provide `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password` instead.)
-matrix_bot_draupnir_access_token: ""
+matrix_bot_draupnir_config_accessToken: ""  # noqa var-naming
 
 # Username and password for the bot. Required if Pantalaimon is used.
-# (Otherwise provide `matrix_bot_draupnir_access_token` instead.)
+# (Otherwise provide `matrix_bot_draupnir_config_accessToken` instead.)
 matrix_bot_draupnir_pantalaimon_username: ""
 matrix_bot_draupnir_pantalaimon_password: ""
 
 # Username and password the bot uses for logging in directly. If Pantalaimon is used,
 # these values become the values of `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password`
+# These config options do not follow the common naming schema as to not cause user confusion over them being called Pantalaimon when using native login.
 matrix_bot_draupnir_login: "{{ matrix_bot_draupnir_pantalaimon_username if matrix_bot_draupnir_pantalaimon_use == 'true' else 'bot.draupnir' }}"
 matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 
 # Controls if we activate the config block for Pantalaimon for now. Its name will
 # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase.
+# This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: ""
 
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
-matrix_bot_draupnir_management_room: ""
+matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming
 
 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
-matrix_bot_draupnir_homeserver_url: ""
+matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming
 
 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/).
 # Only set this to the public-internet homeserver client API URL. Do NOT set this to the Pantalaimon URL.
-matrix_bot_draupnir_raw_homeserver_url: ""
+matrix_bot_draupnir_config_rawHomeserverUrl: ""  # noqa var-naming
 
 # Disable Server ACL is used if you do not want to give the bot the right to apply Server ACLs in rooms without complaints from the bot.
 # This setting is described the following way in the configuration.
@@ -112,12 +115,12 @@ matrix_bot_draupnir_raw_homeserver_url: ""
 # It is recommended to consult with people from the upstream project beforehand.
 #
 # It is exposed here because it is common enough to be valid to expose.
-matrix_bot_draupnir_disable_server_acl: "false"
+matrix_bot_draupnir_config_disableServerACL: false  # noqa var-naming
 
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
-matrix_bot_draupnir_enable_room_state_backing_store: "true"
+matrix_bot_draupnir_config_roomStateBackingStore_enabled: true  # noqa var-naming
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml
index e379c5e21..1a22fef82 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/main.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 MDAD project contributors
+# SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
index 140d6e7e6..042fcbb9e 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
+# SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
index 78f577a56..ff9d72767 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 MDAD project contributors
+# SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
index 53f6dc3ea..834399e49 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -1,20 +1,40 @@
 # SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
 
+- name: (Deprecation) Catch and report renamed Draupnir settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_bot_draupnir_container_image_name_prefix', 'new': 'matrix_bot_draupnir_container_image_registry_prefix'}
+    - {'old': 'matrix_bot_draupnir_enable_room_state_backing_store', 'new': 'matrix_bot_draupnir_config_roomStateBackingStore_enabled'}
+    - {'old': 'matrix_bot_draupnir_disable_server_acl', 'new': 'matrix_bot_draupnir_config_disableServerACL'}
+    - {'old': 'matrix_bot_draupnir_enable_experimental_rust_crypto', 'new': 'matrix_bot_draupnir_config_experimentalRustCrypto'}
+    - {'old': 'matrix_bot_draupnir_access_token', 'new': 'matrix_bot_draupnir_config_accessToken'}
+    - {'old': 'matrix_bot_draupnir_management_room', 'new': 'matrix_bot_draupnir_config_managementRoom'}
+    - {'old': 'matrix_bot_draupnir_homeserver_url', 'new': 'matrix_bot_draupnir_config_homeserverUrl'}
+    - {'old': 'matrix_bot_draupnir_raw_homeserver_url', 'new': 'matrix_bot_draupnir_config_rawHomeserverUrl'}
+    - {'old': 'matrix_bot_draupnir_web_enabled', 'new': 'matrix_bot_draupnir_config_web_enabled'}
+    - {'old': 'matrix_bot_draupnir_abuse_reporting_enabled', 'new': 'matrix_bot_draupnir_config_web_abuseReporting'}
+    - {'old': 'matrix_bot_draupnir_display_reports', 'new': 'matrix_bot_draupnir_config_displayReports'}
+
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail:
     msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
   with_items:
-    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
-    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
-    - {'name': 'matrix_bot_draupnir_management_room', when: true}
+    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
+    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
+    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
     - {'name': 'matrix_bot_draupnir_container_network', when: true}
-    - {'name': 'matrix_bot_draupnir_homeserver_url', when: true}
-    - {'name': 'matrix_bot_draupnir_raw_homeserver_url', when: true}
+    - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
+    - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
     - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
   when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
@@ -23,8 +43,8 @@
   ansible.builtin.fail:
     msg: "The `{{ item.name }}` variable must be undefined or have a null value."
   with_items:
-    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
-    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_login_native }}"}
+    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
+    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
     - {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{  matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
   when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
 
@@ -40,12 +60,3 @@
               "Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_enable_experimental_rust_crypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
             ]
           }}
-
-- name: (Deprecation) Catch and report renamed Draupnir settings
-  ansible.builtin.fail:
-    msg: >-
-      Your configuration contains a variable, which now has a different name.
-      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
-  when: "item.old in vars"
-  with_items:
-    - {'old': 'matrix_bot_draupnir_container_image_name_prefix', 'new': 'matrix_bot_draupnir_container_image_registry_prefix'}
diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
index 147472936..637738b6e 100644
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
+SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2024 Suguru Hirahara
 
@@ -7,16 +8,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
-homeserverUrl: {{ matrix_bot_draupnir_homeserver_url | to_json }}
+homeserverUrl: {{ matrix_bot_draupnir_config_homeserverUrl | to_json }}
 
 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
 # only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
-rawHomeserverUrl: {{ matrix_bot_draupnir_raw_homeserver_url | to_json }}
+rawHomeserverUrl: {{ matrix_bot_draupnir_config_rawHomeserverUrl | to_json }}
 
 # Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
 # This option can be loaded from a file by passing "--access-token-path <path>" at the command line,
 # which would allow using secret management systems such as systemd's service credentials.
-accessToken: {{ matrix_bot_draupnir_access_token | to_json }}
+accessToken: {{ matrix_bot_draupnir_config_accessToken | to_json }}
 
 {% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
 # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
@@ -42,7 +43,7 @@ pantalaimon:
 # Make sure Pantalaimon is disabled in Draupnir's configuration.
 #
 # Warning: At this time this is not considered production safe.
-experimentalRustCrypto: {{ matrix_bot_draupnir_enable_experimental_rust_crypto | to_json }}
+experimentalRustCrypto: {{ matrix_bot_draupnir_config_experimentalRustCrypto | to_json }}
 
 # The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
 dataPath: "/data"
@@ -65,7 +66,7 @@ recordIgnoredInvites: false
 #
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
-managementRoom: {{ matrix_bot_draupnir_management_room | to_json }}
+managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
 
 # Deprecated and will be removed in a future version.
 # Running with verboseLogging is unsupported.
@@ -93,7 +94,7 @@ noop: false
 
 # Whether or not Draupnir should apply `m.room.server_acl` events.
 # DO NOT change this to `true` unless you are very confident that you know what you are doing.
-disableServerACL: {{ matrix_bot_draupnir_disable_server_acl | to_json }}
+disableServerACL: {{ matrix_bot_draupnir_config_disableServerACL | to_json }}
 
 # A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
 #
@@ -199,7 +200,7 @@ commands:
 # homeserver and know that Draupnir is starting up quickly. If your homeserver can
 # respond quickly to Draupnir's requests for `/state` then you might not need this option.
 roomStateBackingStore:
-  enabled: {{ matrix_bot_draupnir_enable_room_state_backing_store | to_json }}
+  enabled: {{ matrix_bot_draupnir_config_roomStateBackingStore_enabled | to_json }}
 
 # Safe mode provides recovery options for some failure modes when Draupnir
 # fails to start. For example, if the bot fails to resolve a room alias in
@@ -261,7 +262,7 @@ health:
     # and 1.0 means "trace performance at every opportunity".
     # tracesSampleRate: 0.5
 
-{% if matrix_bot_draupnir_web_enabled %}
+{% if matrix_bot_draupnir_config_web_enabled %}
 # Options for exposing web APIs.
 web:
   # Whether to enable web APIs.
@@ -287,7 +288,7 @@ web:
   # to configure a reverse proxy, see e.g. test/nginx.conf
   abuseReporting:
     # Whether to enable this feature.
-    enabled: {{ matrix_bot_draupnir_abuse_reporting_enabled | to_json }}
+    enabled: {{ matrix_bot_draupnir_config_web_abuseReporting | to_json }}
 {% endif %}
 
 # FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
@@ -300,4 +301,4 @@ web:
 
 # Whether or not new reports, received either by webapi or polling,
 # should be printed to our managementRoom.
-displayReports: {{ matrix_bot_draupnir_display_reports | to_json }}
+displayReports: {{ matrix_bot_draupnir_config_displayReports | to_json }}
diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license
index ff638a924..e8c361acd 100644
--- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license
+++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license
@@ -1,4 +1,5 @@
 SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+SPDX-FileCopyrightText: 2023 - 2024 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 
 SPDX-License-Identifier: AGPL-3.0-or-later

From bf1efda094978b9368ac8b07dc26e8ab62614e96 Mon Sep 17 00:00:00 2001
From: Benjamin Blacher <privat@benjaminblacher.com>
Date: Thu, 13 Mar 2025 20:28:23 +0100
Subject: [PATCH 05/11] Add support for configuring Synapse's MSC4133 (Custom
 Profile Fields) (#4171)

* Add support for configuring Synapse's MSC4133 (Custom Profile Fields) experimental feature

* Reorder experimental_features in homeserver.yaml.j2 alphabetically

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
---
 roles/custom/matrix-synapse/defaults/main.yml              | 7 +++++++
 .../matrix-synapse/templates/synapse/homeserver.yaml.j2    | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 9147e127d..0aa9d5f4b 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1275,6 +1275,13 @@ matrix_synapse_experimental_features_msc4140_enabled: false
 # See `matrix_synapse_experimental_features_msc4140_enabled`.
 matrix_synapse_max_event_delay_duration: 24h
 
+# Controls whether to enable the MSC4133 experimental feature (Custom profile fields).
+#
+# This allows clients to set custom profile fields (e.g. User Time Zone in Element Web)
+#
+# See https://github.com/matrix-org/matrix-spec-proposals/pull/4133
+matrix_synapse_experimental_features_msc4133_enabled: false
+
 # Controls whether to enable the MSC4222 experimental feature (adding `state_after` to sync v2).
 #
 # Allow clients to opt-in to a change of the sync v2 API that allows them to correctly track the state of the room.
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 9675bb245..218be3b03 100644
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2987,6 +2987,9 @@ experimental_features:
   {% if matrix_synapse_experimental_features_msc4108_enabled %}
   msc4108_enabled: true
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4133_enabled %}
+  msc4133_enabled: true
+  {% endif %}
   {% if matrix_synapse_experimental_features_msc4140_enabled %}
   msc4140_enabled: true
   {% endif %}

From 8637c1d7d70d0e97c5089613d7362460c945e064 Mon Sep 17 00:00:00 2001
From: Suguru Hirahara <acioustick@noreply.codeberg.org>
Date: Fri, 14 Mar 2025 15:59:00 +0900
Subject: [PATCH 06/11] Update docs/configuring-playbook-ntfy.md: add the
 instruction to log in to the account with authentication enabled

Copied from https://github.com/mother-of-all-self-hosting/mash-playbook/blob/6a9ef8c147b7293b48913151fb703eb51a350a88/docs/services/ntfy.md

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
---
 docs/configuring-playbook-ntfy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/configuring-playbook-ntfy.md b/docs/configuring-playbook-ntfy.md
index 2f5961e4a..866f4bc96 100644
--- a/docs/configuring-playbook-ntfy.md
+++ b/docs/configuring-playbook-ntfy.md
@@ -115,7 +115,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 
 ## Usage
 
-To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.
+To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.
 
 For details about installing and configuring the ntfy Android app, take a look at [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ntfy/blob/main/docs/configuring-ntfy.md#install-the-ntfy-androidios-app) on the role's documentation.
 

From 824c44692005242f2a362b23e649ec073397e6e5 Mon Sep 17 00:00:00 2001
From: Suguru Hirahara <acioustick@noreply.codeberg.org>
Date: Fri, 14 Mar 2025 17:08:50 +0900
Subject: [PATCH 07/11] Update docs/configuring-playbook-ssl-certificates.md:
 tidy up

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
---
 docs/configuring-playbook-ssl-certificates.md | 55 ++++++++++---------
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md
index 50f2fbc2b..dba3dcd84 100644
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@@ -11,57 +11,56 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 # Adjusting SSL certificate retrieval (optional, advanced)
 
-By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.example.com` and others)
+By default, the playbook retrieves and automatically renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) for the domains of the services it installs (e.g. `matrix.example.com` and others). Refer this guide if you want to modify settings about how it manages SSL certificates or have the Traefik server use yours.
 
-This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md).
+**Note**: the guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
 
-## Using staging Let's Encrypt certificates instead of real ones
+## Use staging Let's Encrypt certificates
 
-For testing purposes, you may wish to use staging certificates provide by Let's Encrypt.
+For testing purposes, you may wish to use staging certificates provided by Let's Encrypt to avoid hitting [its rate limits](https://letsencrypt.org/docs/rate-limits/).
 
-Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+To use ones, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
 ```yaml
 traefik_config_certificatesResolvers_acme_use_staging: true
 ```
 
-## Disabling SSL termination
+## Disable SSL termination
 
 For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`.
 
-Add the following configuration to your `vars.yml` file:
+To do so, add the following configuration to your `vars.yml` file:
 
 ```yaml
 traefik_config_entrypoint_web_secure_enabled: false
 ```
 
-## Using self-signed SSL certificates
+## Use self-signed SSL certificates
 
-If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)):
+To use self-signed certificates, generate them and follow the documentation below about using your own certificates.
 
-- generate your self-signed certificate files
-- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below
+## Use your own SSL certificates
 
-## Using your own SSL certificates
+To use your own certificates, prepare them and follow the steps below:
 
-To use your own SSL certificates with Traefik, you need to:
+- Disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
+- Put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
+- Register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
+- Put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 
-- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
-- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
-- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
-- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
+For those steps, you can add the following configuration to your `vars.yml` file (adapt to your needs). If you will put the custom configuration files manually, make sure to remove the `aux_file_definitions` variable.
 
 ```yaml
 # Disable ACME / Let's Encrypt support.
 traefik_config_certificatesResolvers_acme_enabled: false
 
-# Disabling ACME support (above) automatically disables the creation of the SSL directory.
-# Force-enable it here, because we'll add our certificate files there.
+# Disabling ACME support (above) automatically disables the SSL directory to be created.
+# Force-enable it to be created with this configuration, because we'll add our certificate files there.
 traefik_ssl_dir_enabled: true
 
-# Tell Traefik to load our custom ssl key pair by extending provider configuration.
+# Tell Traefik to load our custom SSL key pair by extending provider configuration.
 # The key pair files are created below, in `aux_file_definitions`.
-# The `/ssl/…` path is an in-container path, not a path on the host (like `/matrix/traefik/ssl`). Do not change it!
+# Note that the `/ssl/…` path is an **in-container path**, not a path on the host (like `/matrix/traefik/ssl`). Do not change it!
 traefik_provider_configuration_extension_yaml:
   tls:
     certificates:
@@ -74,14 +73,14 @@ traefik_provider_configuration_extension_yaml:
           keyFile: /ssl/privkey.pem
 
 # Use the aux role to create our custom files on the server.
-# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
+# If you'd like to do this manually, remove this `aux_file_definitions` variable.
 aux_file_definitions:
   # Create the privkey.pem file on the server by
   # uploading a file from the computer where Ansible is running.
   - dest: "{{ traefik_ssl_dir_path }}/privkey.pem"
     src: /path/on/your/Ansible/computer/to/privkey.pem
     # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
-    # Note the indentation level.
+    # Mind the indentation level (indented with two white space characters).
     # content: |
     #   FILE CONTENT
     #   HERE
@@ -91,20 +90,22 @@ aux_file_definitions:
   - dest: "{{ traefik_ssl_dir_path }}/cert.pem"
     src: /path/on/your/Ansible/computer/to/cert.pem
     # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
-    # Note the indentation level.
+    # Mind the indentation level (indented with two white space characters).
     # content: |
     #   FILE CONTENT
     #   HERE
 ```
 
-## Using a DNS-01 ACME challenge type, instead of HTTP-01
+## Use a DNS-01 ACME challenge type, instead of HTTP-01
 
-You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for Let's Encrypt. This is less commonly used than the default [HTTP-01 challenge type](https://letsencrypt.org/docs/challenge-types/#http-01-challenge), but it can be helpful to:
+You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for Let's Encrypt. This is less commonly used than the default [HTTP-01 challenge type](https://letsencrypt.org/docs/challenge-types/#http-01-challenge), but can be helpful to:
 
 - hide your public IP from Let's Encrypt logs
 - allow you to obtain SSL certificates for servers which are not accessible (via HTTP) from the public internet (and for which the HTTP-01 challenge would fail)
 
-This is an example for how to edit the `vars.yml` file if you're using Cloudflare:
+### Example: Cloudflare
+
+Here is an example for configurations on the `vars.yml` file for Cloudflare. Please adjust it as necessary before applying it.
 
 ```yaml
 traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true

From 0b39528ae3db0881abe8f458ebc4ead79b25a7b6 Mon Sep 17 00:00:00 2001
From: Suguru Hirahara <acioustick@noreply.codeberg.org>
Date: Fri, 14 Mar 2025 18:58:48 +0900
Subject: [PATCH 08/11] Update docs/configuring-playbook-ssl-certificates.md:
 add the introduction of Update Kuma on the MASH playbook

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
---
 docs/configuring-playbook-ssl-certificates.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md
index dba3dcd84..078cf3103 100644
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@@ -13,7 +13,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 By default, the playbook retrieves and automatically renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) for the domains of the services it installs (e.g. `matrix.example.com` and others). Refer this guide if you want to modify settings about how it manages SSL certificates or have the Traefik server use yours.
 
-**Note**: the guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
+**Notes**:
+- This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
+- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiriation notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
+
+  The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
 
 ## Use staging Let's Encrypt certificates
 

From 808d0202c7786a408a5a3e7168ef1e17a55e30cf Mon Sep 17 00:00:00 2001
From: Catalan Lover <catalanlover@protonmail.com>
Date: Fri, 14 Mar 2025 10:22:18 +0100
Subject: [PATCH 09/11] Fix Rust Crypto variables being partially missed in
 Rename

---
 docs/configuring-playbook-bot-draupnir.md                  | 4 ++--
 roles/custom/matrix-bot-draupnir/defaults/main.yml         | 2 +-
 roles/custom/matrix-bot-draupnir/tasks/validate_config.yml | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md
index 8465dcbd8..dcf965beb 100644
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -54,7 +54,7 @@ To enable the native E2EE support, add the following configuration to your `vars
 
 ```yaml
 # Enables the native E2EE support
-matrix_bot_draupnir_enable_experimental_rust_crypto: true
+matrix_bot_draupnir_config_experimentalRustCrypto: true
 
 # Access token which the bot will use for logging in.
 # Comment out `matrix_bot_draupnir_login_native` when using this option.
@@ -76,7 +76,7 @@ matrix_bot_draupnir_enabled: true
 # If creating the user on your own and using `matrix_bot_draupnir_config_accessToken` to login you can comment out this line.
 matrix_bot_draupnir_password: PASSWORD_FOR_THE_BOT
 
-# Comment out if using `matrix_bot_draupnir_enable_experimental_rust_crypto: true` or `matrix_bot_draupnir_config_accessToken` to login.
+# Comment out if using `matrix_bot_draupnir_config_experimentalRustCrypto: true` or `matrix_bot_draupnir_config_accessToken` to login.
 matrix_bot_draupnir_login_native: true
 
 matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml
index 31ade1be0..f3197e898 100644
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -71,7 +71,7 @@ matrix_bot_draupnir_pantalaimon_breakage_ignore: false
 # Tells the bot if it should use its native E2EE support in the form of experimental Rust Crypto in the bot SDK.
 # This option is mutually exclusive with `matrix_bot_draupnir_pantalaimon_use`.
 # Rust Crypto requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it.
-matrix_bot_draupnir_enable_experimental_rust_crypto: false
+matrix_bot_draupnir_config_experimentalRustCrypto: false  # noqa var-naming
 
 # The access token for the bot user. Required if Pantalaimon is NOT used.
 # (Otherwise provide `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password` instead.)
diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
index 834399e49..c5816ea51 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -30,7 +30,7 @@
     msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
-    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
+    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_config_experimentalRustCrypto }}"}
     - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
     - {'name': 'matrix_bot_draupnir_container_network', when: true}
     - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
@@ -45,7 +45,7 @@
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
-    - {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{  matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
+    - {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{  matrix_bot_draupnir_config_experimentalRustCrypto }}"}
   when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
 
 - when: "matrix_bot_draupnir_pantalaimon_use == 'true' and matrix_bot_draupnir_pantalaimon_breakage_ignore == 'false'"
@@ -57,6 +57,6 @@
             devture_playbook_runtime_messages_list | default([])
             +
             [
-              "Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_enable_experimental_rust_crypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
+              "Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_config_experimentalRustCrypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
             ]
           }}

From e073685632b97d0ad837c2119f773e81a756ee44 Mon Sep 17 00:00:00 2001
From: Catalan Lover <catalanlover@protonmail.com>
Date: Fri, 14 Mar 2025 11:51:49 +0100
Subject: [PATCH 10/11] Fix D4A Config Validation checking for old variable and
 fix docs ref

---
 docs/configuring-playbook-appservice-draupnir-for-all.md        | 2 +-
 .../tasks/validate_config.yml                                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/configuring-playbook-appservice-draupnir-for-all.md b/docs/configuring-playbook-appservice-draupnir-for-all.md
index 69890b3af..0f2362f47 100644
--- a/docs/configuring-playbook-appservice-draupnir-for-all.md
+++ b/docs/configuring-playbook-appservice-draupnir-for-all.md
@@ -45,7 +45,7 @@ Add the following configuration to your `inventory/host_vars/matrix.example.com/
 ```yaml
 matrix_appservice_draupnir_for_all_enabled: true
 
-matrix_appservice_draupnir_for_all_master_control_room_alias: "MANAGEMENT_ROOM_ALIAS_HERE"
+matrix_appservice_draupnir_for_all_config_adminRoom: "MANAGEMENT_ROOM_ALIAS_HERE"
 ```
 
 ### Extending the configuration
diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
index 72f86a7ef..95ed9fde3 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -11,7 +11,7 @@
   ansible.builtin.fail:
     msg: "The `{{ item }}` variable must be defined and have a non-null value."
   with_items:
-    - "matrix_appservice_draupnir_for_all_master_control_room_alias"
+    - "matrix_appservice_draupnir_for_all_config_adminRoom"
     - "matrix_bot_draupnir_container_network"
   when: "vars[item] == '' or vars[item] is none"
 

From 8e883a555400fb4f41372f518ddcb6a1ac89d20c Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 14 Mar 2025 19:06:37 +0200
Subject: [PATCH 11/11] Fail if Synapse experimental feature QR code login
 (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not

---
 roles/custom/matrix-synapse/tasks/validate_config.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml
index 372728a3e..c760a6d0a 100644
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -47,6 +47,14 @@
 
     - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}
 
+# If only MSC 4108 is enabled, Synapse fails with: "MSC4108 requires MSC3861 to be enabled"
+- name: Fail if Synapse experimental feature QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
+  ansible.builtin.fail:
+    msg: >-
+      QR code login (MSC4108) requires Next-Gen Auth (MSC3861) to be enabled or Synapse will fail to start.
+      Enable `matrix_synapse_experimental_features_msc3861_enabled` when using `matrix_synapse_experimental_features_msc4108_enabled`.
+  when: "matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled"
+
 - name: Fail if asking for more than 1 instance of single-instance workers
   ansible.builtin.fail:
     msg: >-