Merge branch 'master' into feature/dendrite

2025-05-30 08:55:15 +00:00 · 2021-12-17 16:41:11 +02:00 · 2021-12-17 16:41:11 +02:00 · be2118d099
commit be2118d099
parent 8f4685f055 60592fd6a8
170 changed files with 1291 additions and 663 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,21 @@
+# 2021-12-14
+
+## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability
+
+Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable.
+
+One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md).
+
+
+# 2021-11-11
+
+## Dropped support for Postgres v9.6
+
+Postgres v9.6 reached its end of life today, so the playbook will refuse to run for you if you're still on that version.
+
+Synapse still supports v9.6 (for now), but we're retiring support for it early, to avoid having to maintain support for so many Postgres versions. Users that are still on Postgres v9.6 can easily [upgrade Postgres](docs/maintenance-postgres.md#upgrading-postgresql) via the playbook.
+
+
 # 2021-10-23

 ## Hangouts bridge no longer updated, superseded by a Googlechat bridge
@ -244,6 +262,8 @@ The fact that we've renamed Synapse's database from `homeserver` to `synapse` (i

 ## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database

+**Update from 2021-11-15**: SQLite support has been re-added to the mautrix-facebook bridge in [v0.3.2](https://github.com/mautrix/facebook/releases/tag/v0.3.2). You can ignore this changelog entry.
+
 A new version of the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge has been released. It's a full rewrite of its backend and the bridge now requires Postgres. New versions of the bridge can no longer run on SQLite.

 **TLDR**: if you're NOT using an [external Postgres server](docs/configuring-playbook-external-postgres.md) and have NOT forcefully kept the bridge on SQLite during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous), you will be automatically upgraded without manual intervention. All you need to do is send a `login` message to the Facebook bridge bot again.
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.general
+  - name: community.docker  
--- a/docs/ansible.md
+++ b/docs/ansible.md
@ -51,7 +51,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.9.14-r0
+docker.io/devture/ansible:2.10.7-r0
 ```

 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
--- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md
+++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md
@ -8,8 +8,25 @@ Use the following playbook configuration:

 ```yaml
 matrix_mautrix_whatsapp_enabled: true
-```
+``` 
+Whatsapp multidevice beta is required, now it is enough if Whatsapp is connected to the Internet every 2 weeks.

+## Enable backfilling history
+This requires a server with MSC2716 support, which is currently an experimental feature in synapse.
+Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers.
+Use the following playbook configuration:
+
+```yaml
+matrix_synapse_configuration_extension_yaml: |
+  experimental_features:
+    msc2716_enabled: true
+```
+```yaml
+matrix_mautrix_whatsapp_configuration_extension_yaml:
+  bridge:
+    history_sync:
+      backfill: true
+```

 ## Set up Double Puppeting

--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes](

 If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.

-Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
 matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
+matrix_jitsi_prosody_auth_internal_accounts:
+  - username: "jitsi-moderator"
+    password: "secret-password"
+  - username: "another-user"
+    password: "another-password"
 ```

+**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
+
+**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
+
+
 ### (Optional) LDAP authentication

 The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on

 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`

-## Required if configuring Jitsi with internal authentication: register new users
-
-Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
-Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
-
-```bash
-docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
-```
-
-Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
-
-**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
-

 ## Usage

--- a/docs/configuring-playbook-matrix-corporal.md
+++ b/docs/configuring-playbook-matrix-corporal.md
@ -37,6 +37,7 @@ matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal

 matrix_corporal_enabled: true

+# See below for an example of how to use a locally-stored static policy
 matrix_corporal_policy_provider_config: |
  {
    "Type": "http",
@ -74,10 +75,48 @@ Matrix Corporal operates with a specific Matrix user on your server.
 By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above).
 No matter what Matrix user id you configure to run it with, make sure that:

- the Matrix Corporal user is created by [registering it](registering-users.md). Use a password you remember, as you'll need to log in from time to time to create or join rooms
+- the Matrix Corporal user is created by [registering it](registering-users.md) **with administrator privileges**. Use a password you remember, as you'll need to log in from time to time to create or join rooms

 - the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage

+### Using a locally-stored static policy
+
+If you'd like to use a [static policy file](https://github.com/devture/matrix-corporal/blob/master/docs/policy-providers.md#static-file-pull-style-policy-provider), you can use a configuration like this:
+
+```yaml
+matrix_corporal_policy_provider_config: |
+  {
+    "Type": "static_file",
+    "Path": "/etc/matrix-corporal/policy.json"
+  }
+
+# Modify the policy below as you see fit
+matrix_aux_file_definitions:
+  - dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
+    content: |
+      {
+        "schemaVersion": 1,
+        "identificationStamp": "stamp-1",
+        "flags": {
+          "allowCustomUserDisplayNames": false,
+          "allowCustomUserAvatars": false,
+          "forbidRoomCreation": false,
+          "forbidEncryptedRoomCreation": true,
+          "forbidUnencryptedRoomCreation": false,
+          "allowCustomPassthroughUserPasswords": true,
+          "allowUnauthenticatedPasswordResets": false,
+          "allow3pidLogin": false
+        },
+        "managedCommunityIds": [],
+        "managedRoomIds": [],
+        "users": []
+      }
+```
+
+To learn more about what the policy configuration, see the matrix-corporal documentation on [policy](https://github.com/devture/matrix-corporal/blob/master/docs/policy.md).
+
+Each time you update the policy in your `vars.yml` file, you'd need to re-run the playbook and restart matrix-corporal (`--tags=setup-all,start` or `--tags=setup-aux-files,setup-corporal,start`).
+

 ## Matrix Corporal files

--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -111,6 +111,9 @@ matrix_coturn_enabled: false

 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
 matrix_nginx_proxy_trust_forwarded_proto: true
+
+# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
 ```

 With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
@ -136,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false
 matrix_nginx_proxy_container_http_host_bind_port: ''
 matrix_nginx_proxy_container_federation_host_bind_port: ''

+# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
+matrix_nginx_proxy_trust_forwarded_proto: true
+
+# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
 matrix_coturn_enabled: false
--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@ -55,7 +55,7 @@ Name | Description
 `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network)
 `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
 `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
-`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
+`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable). Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. 
 `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)

 ### Collecting worker metrics to an external Prometheus server
--- a/docs/importing-postgres.md
+++ b/docs/importing-postgres.md
@ -12,7 +12,8 @@ If your database name differs, be sure to change `matrix_synapse_database_databa

 The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`).

-Importing multiple databases (as dumped by `pg_dumpall`) is also supported.
+Importing multiple databases (as dumped by `pg_dumpall`) is also supported.  
+But the migration might be a good moment, to "reset" a not properly working bridge. Be aware, that it might affect all users (new link to bridge, new roomes, ...)

 Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay).

@ -32,6 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml \

 ## Troubleshooting

+### Table Ownership
 A table ownership issue can occur if you are importing from a Synapse installation which was both:

 - migrated from SQLite to Postgres, and
@ -48,7 +50,7 @@ where `synapse_user` is the database username from the previous Synapse installa
 This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username:

 ```Shell
-$ grep "ALTER TABLE" homeserver.sql"
+$ grep "ALTER TABLE" homeserver.sql
 ALTER TABLE public.access_tokens OWNER TO synapse_user;
 ALTER TABLE public.account_data OWNER TO synapse_user;
 ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user;
@ -60,10 +62,10 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
 It can be worked around by changing the username to `synapse`, for example by using `sed`:

 ```Shell
-$ sed -i "s/synapse_user/synapse/g" homeserver.sql
+$ sed -i "s/OWNER TO synapse_user;/OWNER TO synapse;/g" homeserver.sql
 ```

-This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.
+This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse_user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. Expand search/replace statement as shown in example above, in case of old user name like `matrix` - replacing `matrix` only would... well - you can imagine.

 Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as:

@ -71,6 +73,8 @@ Note that if the previous import failed with an error it may have made changes w
 ERROR:  relation \"access_tokens\" already exists
 ```

+### Repeat import
+
 In this case you can use the command suggested in the import task to clear the database before retrying the import:

 ```Shell
@ -79,4 +83,20 @@ In this case you can use the command suggested in the import task to clear the d
 # systemctl start matrix-postgres
 ```

-Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed.
+Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc.
+
+If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database.
+```
+"ERROR:  role synapse does not exist"
+```
+
+Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed.  
+Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal)
+
+```
+/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse"
+```
+
+### Hints
+
+To open psql terminal run `/usr/local/bin/matrix-postgres-cli`
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-registration`
 - `matrix-coturn`
 - `matrix-corporal`
+- `matrix-dimension`
 - `matrix-ma1sd`
 - `matrix-mailer`
 - `matrix-bridge-appservice-irc`
--- a/examples/caddy/matrix-synapse
+++ b/examples/caddy/matrix-synapse
@ -5,7 +5,7 @@ https://matrix.DOMAIN {

 	root /matrix/static-files

-	header {
+	header / {
 		Access-Control-Allow-Origin *
 		Strict-Transport-Security "mag=age=31536000;"
 		X-Frame-Options "DENY"
@ -13,10 +13,10 @@ https://matrix.DOMAIN {
 	}

 	# Identity server traffic
-	proxy /_matrix/identity matrix-msisd:8090 {
+	proxy /_matrix/identity matrix-ma1sd:8090 {
 		transparent
 	}
-	proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 {
+	proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
 		transparent
 	}

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -19,9 +19,9 @@ matrix_container_global_registry_prefix: "docker.io/"

 matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}"

-# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:8008'.
+# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'.
 # This is because we explicitly disable them for the main Synapse process.
-matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:8008' }}"
+matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}"

 ######################################################################
 #
@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
+matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}"

-matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
+matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}"

 # We only make this use Postgres if our own Postgres server is enabled.
 # It's only then (for now) that we can automatically create the necessary database and user for this service.
 matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}"
+matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}"

 ######################################################################
 #
@ -111,11 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture !
 # matrix-appservice-webhooks' client-server port to the local host.
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}"

-matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
+matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}"

-matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
+matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}"
+matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"

-matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
+matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}"

 matrix_appservice_webhooks_systemd_required_services_list: |
  {{
@ -149,11 +150,12 @@ matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64'
 # matrix-appservice-slack's client-server port to the local host.
 matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}"

-matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"
+matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}"

-matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
+matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}"
+matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}"

-matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}"
+matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}"

 matrix_appservice_slack_systemd_required_services_list: |
  {{
@ -166,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: |

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}"
-matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}"
+matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}"

 ######################################################################
 #
@ -203,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}"
+matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}"

-matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
+matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}"

 matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}"
-matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}"
+matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}"


 ######################################################################
@ -238,15 +240,15 @@ matrix_beeper_linkedin_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}"
+matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}"

-matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}"
+matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}"

 matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"

-matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}"
+matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}"

 ######################################################################
 #
@ -276,9 +278,9 @@ matrix_mautrix_facebook_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
+matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}"

-matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
+matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}"

 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

@ -287,7 +289,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}"
+matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}"

 ######################################################################
 #
@ -318,9 +320,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}"
+matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}"

-matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}"
+matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}"

 matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"

@ -328,7 +330,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}"
+matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}"

 ######################################################################
 #
@ -359,9 +361,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}"
+matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}"

-matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}"
+matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}"

 matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"

@ -369,7 +371,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}"
+matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}"

 ######################################################################
 #
@ -400,9 +402,9 @@ matrix_mautrix_instagram_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}"
+matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}"

-matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}"
+matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}"

 matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

@ -411,7 +413,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}"
+matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}"

 ######################################################################
 #
@ -446,14 +448,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'

 matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}"

-matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}"
+matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}"

-matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}"
+matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}"

 matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_mautrix_signal_database_engine: 'postgres'
-matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}"
+matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}"

 matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}"
@ -489,11 +491,11 @@ matrix_mautrix_telegram_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
+matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}"

-matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"
+matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"

-matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
+matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}"

 matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"

@ -501,7 +503,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}"
+matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}"

 ######################################################################
 #
@ -531,15 +533,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
+matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}"

-matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}"
+matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}"

 matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}"
+matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}"

 ######################################################################
 #
@ -565,9 +567,10 @@ matrix_sms_bridge_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}"
+matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}"

-matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}"
+matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}"
+matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}"

 ######################################################################
 #
@ -584,9 +587,9 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas
 # We don't enable bridges by default.
 matrix_heisenbridge_enabled: false

-matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}"
+matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}"

-matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}"
+matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}"

 matrix_heisenbridge_systemd_wanted_services_list: |
  {{
@ -623,15 +626,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
+matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}"

-matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"
+matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"

 matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}"
+matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}"

 ######################################################################
 #
@ -662,15 +665,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"
+matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"

-matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}"
+matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}"

 matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}"
+matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}"

 ######################################################################
 #
@ -700,9 +703,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"
+matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"

-matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}"
+matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}"

 matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

@ -710,7 +713,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}"
+matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}"

 ######################################################################
 #
@ -741,15 +744,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"
+matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"

-matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}"
+matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}"

 matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}"
+matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}"

 ######################################################################
 #
@ -779,15 +782,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"
+matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"

-matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}"
+matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}"

 matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}"
+matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}"

 ######################################################################
 #
@ -817,15 +820,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"
+matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"

-matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}"
+matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}"

 matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}"
+matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}"

 ######################################################################
 #
@ -855,15 +858,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}

-matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}"
+matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}"

-matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}"
+matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}"

 matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}"
+matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}"

 ######################################################################
 #
@ -893,7 +896,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
+matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
 matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}"

 ######################################################################
@ -1042,11 +1045,15 @@ matrix_coturn_container_additional_volumes: |

 matrix_dimension_enabled: false

+matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the Dimension HTTP port to the local host.
 matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}"

+matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}"
+
 matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
 matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"

@ -1063,7 +1070,7 @@ matrix_dimension_systemd_required_services_list: |

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}"
+matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}"

 ######################################################################
 #
@ -1088,7 +1095,7 @@ matrix_etherpad_systemd_required_services_list: |
    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
  }}

-matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}"
+matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}"

 ######################################################################
 #
@ -1147,9 +1154,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro

 matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}"

-matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
-matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
-matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
+matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}"
+matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}"
+matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}"

 matrix_jitsi_web_stun_servers: |
  {{
@ -1212,7 +1219,8 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # ma1sd's web-server port.
-matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"
+matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port|string }}"
+

 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
@ -1251,7 +1259,7 @@ matrix_ma1sd_systemd_wanted_services_list: |

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}"
+matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}"

 ######################################################################
 #
@ -1294,8 +1302,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corpor
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
+matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
+matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

 # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
 # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy.
@ -1306,6 +1314,12 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1
 # Settings controlling matrix-synapse-proxy.conf
 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"

+matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
+matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}"
+
+matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}"
+matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}"
+
 # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
 matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"

@ -1755,18 +1769,18 @@ matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm6

 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
 # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
-matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
-matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
+matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port|string if matrix_ma1sd_enabled else '' }}"
+matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port|string if matrix_ma1sd_enabled else '' }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
 # you can expose Synapse's ports to the host.
 #
 # For exposing the Matrix Client API's port (plain HTTP) to the local host.
-matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
+matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_client_api_port|string }}"
 #
 # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host.
-matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
+matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_api_plain_port|string }}"
 #
 # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
 matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
@ -1780,7 +1794,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}"

-matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}"
+matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}"

 # We do not enable TLS in Synapse by default.
 # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
@ -1931,7 +1945,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp
 ######################################################################

 matrix_prometheus_postgres_exporter_enabled: false
-matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}"
+matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}"

 matrix_prometheus_postgres_exporter_systemd_required_services_list: |
  {{
@ -2007,7 +2021,7 @@ matrix_registration_systemd_required_services_list: |

 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}"
+matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}"

 ######################################################################
 #
--- a/roles/matrix-awx/scripts/matrix_build_room_list.py
+++ b/roles/matrix-awx/scripts/matrix_build_room_list.py
@ -5,10 +5,11 @@ import json

 janitor_token = sys.argv[1]
 synapse_container_ip = sys.argv[2]
+synapse_container_port = sys.argv[3]

 # collect total amount of rooms

-rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms'
+rooms_raw_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms'
 rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token}
 rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header)
 rooms_raw_python = json.loads(rooms_raw.text)
@ -19,7 +20,7 @@ total_rooms = rooms_raw_python["total_rooms"]
 room_list_file = open("/tmp/room_list_complete.json", "w")

 for i in range(0, total_rooms, 100):
-  rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i)
+  rooms_inc_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms?from=' + str(i)
  rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header)
  room_list_file.write(rooms_inc.text)

--- a/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2
+++ b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2
@ -15,7 +15,7 @@
      "type": "multiplechoice"
    },
    {
-      "question_name": "Discord Client ID",
+      "question_name": "Discord OAuth2 Client ID",
      "question_description": "The OAuth2 'CLIENT ID' which can be found in the 'OAuth2' tab of your new discord application: https://discord.com/developers/applications",
      "required": true,
      "min": 0,
--- a/roles/matrix-awx/tasks/purge_database_build_list.yml
+++ b/roles/matrix-awx/tasks/purge_database_build_list.yml
@ -1,11 +0,0 @@
---
-
- name: Collect entire room list into stdout
-  shell: |
-    curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}'
-  register: awx_rooms_output
-  
- name: Print stdout to file
-  delegate_to: 127.0.0.1
-  shell: |
-    echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json
--- a/roles/matrix-awx/tasks/purge_database_events.yml
+++ b/roles/matrix-awx/tasks/purge_database_events.yml
@ -2,11 +2,11 @@

 - name: Purge all rooms with more then N events
  shell: |
-    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
+    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
  register: awx_purge_command

 - name: Print output of purge command
-  debug: 
+  debug:
    msg: "{{ awx_purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
--- a/roles/matrix-awx/tasks/purge_database_main.yml
+++ b/roles/matrix-awx/tasks/purge_database_main.yml
@ -29,9 +29,9 @@
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
  register: awx_synapse_container_ip

- name: Collect access token for janitor user
+- name: Collect access token for @_janitor user
  shell: |
-    curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
+    curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
  register: awx_janitors_token
  no_log: True
@ -47,7 +47,7 @@

 - name: Run build_room_list.py script
  shell: |
-    runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }}
+    runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} {{ matrix_synapse_container_client_api_port.stdout }}
  register: awx_rooms_total
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)

@ -69,7 +69,7 @@
  shell: |
    jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
-  
+
 - name: Count number of rooms with no local users
  delegate_to: 127.0.0.1
  shell: |
@ -84,7 +84,7 @@
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)

 - name: Purge all rooms with no local users
-  include_tasks: purge_database_no_local.yml 
+  include_tasks: purge_database_no_local.yml
  loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}"
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)

@ -116,7 +116,7 @@
  no_log: True

 - name: Purge all rooms with more then N users
-  include_tasks: purge_database_users.yml 
+  include_tasks: purge_database_users.yml
  loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}"
  when: awx_purge_mode.find("Number of users [slower]") != -1

@ -141,7 +141,7 @@
  no_log: True

 - name: Purge all rooms with more then N events
-  include_tasks: purge_database_events.yml 
+  include_tasks: purge_database_events.yml
  loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}"
  when: awx_purge_mode.find("Number of events [slower]") != -1

@ -171,7 +171,7 @@
    wait: yes
    tower_host: "https://{{ awx_host }}"
    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
-    validate_certs: yes 
+    validate_certs: yes
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1)

 - name: Revert 'Deploy/Update a Server' job template
@ -237,7 +237,7 @@
    wait: yes
    tower_host: "https://{{ awx_host }}"
    tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
-    validate_certs: yes 
+    validate_certs: yes
  when: (awx_purge_mode.find("Perform final shrink") != -1)

 - name: Revert 'Deploy/Update a Server' job template
@ -272,7 +272,7 @@
  when: (awx_purge_mode.find("Perform final shrink") != -1)
  no_log: True

- name: Print total number of rooms processed 
+- name: Print total number of rooms processed
  debug:
    msg: '{{ awx_rooms_total.stdout }}'
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
--- a/roles/matrix-awx/tasks/purge_database_no_local.yml
+++ b/roles/matrix-awx/tasks/purge_database_no_local.yml
@ -2,11 +2,11 @@

 - name: Purge all rooms with no local users
  shell: |
-    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room'
+    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_room'
  register: awx_purge_command
-  
+
 - name: Print output of purge command
-  debug: 
+  debug:
    msg: "{{ awx_purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
--- a/roles/matrix-awx/tasks/purge_database_users.yml
+++ b/roles/matrix-awx/tasks/purge_database_users.yml
@ -2,11 +2,11 @@

 - name: Purge all rooms with more then N users
  shell: |
-    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
+    curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
  register: awx_purge_command
-  
+
 - name: Print output of purge command
-  debug: 
+  debug:
    msg: "{{ awx_purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
--- a/roles/matrix-awx/tasks/purge_media_local.yml
+++ b/roles/matrix-awx/tasks/purge_media_local.yml
@ -7,11 +7,11 @@

 - name: Purge local media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000'
+    curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000'
  register: awx_purge_command
-  
+
 - name: Print output of purge command
-  debug: 
+  debug:
    msg: "{{ awx_purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
--- a/roles/matrix-awx/tasks/purge_media_main.yml
+++ b/roles/matrix-awx/tasks/purge_media_main.yml
@ -9,7 +9,7 @@
  include_vars:
    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
  no_log: True
-  
+
 - name: Ensure curl and jq intalled on target machine
  apt:
    pkg:
@ -21,21 +21,22 @@
  shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
  register: awx_synapse_container_ip

- name: Collect access token for janitor user
+- name: Collect access token for @_janitor user
  shell: |
-    curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
+    curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
  register: awx_janitors_token
  no_log: True

 - name: Generate list of dates to purge to
  delegate_to: 127.0.0.1
-  shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}"
+  shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}"
  register: awx_purge_dates
-    
+
 - name: Calculate initial size of local media repository
  shell: du -sh /matrix/synapse/storage/media-store/local*
  register: awx_local_media_size_before
  when: awx_purge_media_type == "Local Media"
+  async: 600
  ignore_errors: yes
  no_log: True

@ -43,16 +44,17 @@
  shell: du -sh /matrix/synapse/storage/media-store/remote*
  register: awx_remote_media_size_before
  when: awx_purge_media_type == "Remote Media"
+  async: 600 
  ignore_errors: yes
  no_log: True

 - name: Purge local media with loop
-  include_tasks: purge_media_local.yml 
+  include_tasks: purge_media_local.yml
  loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}"
  when: awx_purge_media_type == "Local Media"

 - name: Purge remote media with loop
-  include_tasks: purge_media_remote.yml 
+  include_tasks: purge_media_remote.yml
  loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}"
  when: awx_purge_media_type == "Remote Media"

--- a/roles/matrix-awx/tasks/purge_media_remote.yml
+++ b/roles/matrix-awx/tasks/purge_media_remote.yml
@ -7,11 +7,11 @@

 - name: Purge remote media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000'
+    curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000'
  register: awx_purge_command
-  
+
 - name: Print output of purge command
-  debug: 
+  debug:
    msg: "{{ awx_purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
--- a/roles/matrix-awx/tasks/set_variables_dimension.yml
+++ b/roles/matrix-awx/tasks/set_variables_dimension.yml
@ -12,9 +12,9 @@
      - curl
    state: present

- name: Collect access token of Dimension user
+- name: Collect access token of @_dimension user
  shell: |
-    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
+    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
  register: awx_dimension_user_access_token

 - name: Record Synapse variables locally on AWX
--- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml
+++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml
@ -30,7 +30,7 @@
    insertafter: '# Synapse Extension Start'
  with_dict:
    'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true'
-    'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"'
+    'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:{{ matrix_ma1sd_container_port }}"'
  when: awx_matrix_ma1sd_auth_store == 'LDAP/AD'

 - name: Remove entire ma1sd configuration extension
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -91,7 +91,7 @@ matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"
 # Specifies where the homeserver is on the container network.
 # Where this is depends on whether there's a reverse-proxy in front of it, etc.
 # This likely gets overriden elsewhere.
-matrix_homeserver_container_url: "http://matrix-synapse:8008"
+matrix_homeserver_container_url: ""

 matrix_identity_server_url: ~

@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false
 # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
 matrix_client_element_e2ee_secure_backup_setup_methods: []

+# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_client_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_client_configuration_extension_json: |
+#   {
+#     "io.element.call_behaviour": {
+#       "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
+#     }
+#   }
+matrix_well_known_matrix_client_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
+matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
+
+# Default `/.well-known/matrix/server` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_server_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_server_configuration_extension_json: |
+#   {
+#     "something": "another"
+#   }
+matrix_well_known_matrix_server_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
+matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
+
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"

--- a/roles/matrix-base/tasks/setup_well_known.yml
+++ b/roles/matrix-base/tasks/setup_well_known.yml
@ -13,16 +13,16 @@
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

 - name: Ensure Matrix /.well-known/matrix/client file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}"
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix /.well-known/matrix/server file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}"
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
    mode: 0644
    owner: "{{ matrix_user_username }}"
--- a/roles/matrix-base/tasks/validate_config.yml
+++ b/roles/matrix-base/tasks/validate_config.yml
@ -0,0 +1,9 @@
+---
+
+- name: Fail if required Matrix Base settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) for using this playbook.
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_homeserver_container_url"
--- a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml
+++ b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-bot-go-neb
    state: stopped
+    enabled: no
    daemon_reload: yes
  register: stopping_result
  when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
--- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml
+++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-bot-matrix-reminder-bot
    state: stopped
+    enabled: no
    daemon_reload: yes
  register: stopping_result
  when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool"
--- a/roles/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/matrix-bot-mjolnir/defaults/main.yml
@ -3,14 +3,13 @@

 matrix_bot_mjolnir_enabled: true

-matrix_bot_mjolnir_version: "v1.1.20"
+matrix_bot_mjolnir_version: "v1.2.1"

 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

 matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
 matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}"
-
 matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}"

 matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir"
--- a/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml
+++ b/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-bot-mjolnir
    state: stopped
+    enabled: no
    daemon_reload: yes
  register: stopping_result
  when: "matrix_bot_mjolnir_service_stat.stat.exists|bool"
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false
 #
 # To use Postgres:
 # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables
+# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables
 matrix_appservice_discord_database_engine: 'sqlite'

 matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db"
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@ -54,6 +54,7 @@
  service:
    name: matrix-appservice-discord
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_appservice_discord_stat_db.stat.exists"
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-appservice-discord
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_appservice_discord_service_stat.stat.exists"

--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"

-matrix_appservice_irc_version: release-0.31.0
+matrix_appservice_irc_version: release-0.32.1
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-appservice-irc
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_appservice_irc_service_stat.stat.exists"

--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@ -33,7 +33,7 @@ matrix_appservice_slack_slack_port: 9003
 matrix_appservice_slack_container_http_host_bind_port: ''

 matrix_appservice_slack_homeserver_media_url: "{{ matrix_server_fqn_matrix }}"
-matrix_appservice_slack_homeserver_url: "http://matrix-synapse:8008"
+matrix_appservice_slack_homeserver_url: ""
 matrix_appservice_slack_homeserver_domain: "{{ matrix_domain }}"
 matrix_appservice_slack_appservice_url: 'http://matrix-appservice-slack'

@ -82,7 +82,7 @@ matrix_appservice_slack_configuration_extension_yaml: |
    # Optional
    #matrix_admin_room: "!aBcDeF:matrix.org"
    #homeserver:
-    #    url: http://localhost:8008
+    #    url: http://localhost:{{ matrix_synapse_container_client_api_port }}
    #    server_name: my.server
    # Optional
    #tls:
--- a/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-appservice-slack
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_appservice_slack_service_stat.stat.exists"

--- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml
@ -8,5 +8,6 @@
  with_items:
    - "matrix_appservice_slack_control_room_id"
    - "matrix_appservice_slack_appservice_token"
+    - "matrix_appservice_slack_homeserver_url"
    - "matrix_appservice_slack_homeserver_token"
    - "matrix_appservice_slack_id_token"
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks
 matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
 matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"

-# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
-matrix_appservice_webhooks_control_room_id: ''
 matrix_appservice_webhooks_bot_name: 'webhookbot'
 matrix_appservice_webhooks_user_prefix: '_webhook'

@ -36,7 +34,7 @@ matrix_appservice_webhooks_matrix_port: 6789
 matrix_appservice_webhooks_container_http_host_bind_port: ''

 matrix_appservice_webhooks_homeserver_media_url: "{{ matrix_server_fqn_matrix }}"
-matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008"
+matrix_appservice_webhooks_homeserver_url: ""
 matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}"
 matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks'

--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-appservice-webhooks
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_appservice_webhooks_service_stat.stat.exists"

--- a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml
@ -7,6 +7,7 @@
  when: "vars[item] == ''"
  with_items:
    - "matrix_appservice_webhooks_appservice_token"
+    - "matrix_appservice_webhooks_homeserver_url"
    - "matrix_appservice_webhooks_homeserver_token"
    - "matrix_appservice_webhooks_id_token"
    - "matrix_appservice_webhooks_api_secret"
--- a/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-beeper-linkedin
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_beeper_linkedin_service_stat.stat.exists"

--- a/roles/matrix-bridge-heisenbridge/defaults/main.yml
+++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_heisenbridge_enabled: true

-matrix_heisenbridge_version: 1.3.0
+matrix_heisenbridge_version: 1.7.1
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-heisenbridge
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_heisenbridge_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -6,7 +6,7 @@ matrix_mautrix_facebook_enabled: true
 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"

-matrix_mautrix_facebook_version: v0.3.1
+matrix_mautrix_facebook_version: v0.3.2
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: ''
 # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future).
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables
 matrix_mautrix_facebook_database_engine: 'postgres'

 matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@ -86,6 +86,7 @@
  service:
    name: matrix-mautrix-facebook
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mautrix_facebook_stat_database.stat.exists"
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mautrix-facebook
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_facebook_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
@ -10,22 +10,14 @@
    - "matrix_mautrix_facebook_homeserver_token"

 - block:
-    - name: Fail if on SQLite, unless on the last version supporting SQLite
-      fail:
-        msg: >-
-          You're trying to use the mautrix-facebook bridge with an SQLite database.
-          Going forward, this bridge only supports Postgres.
-          To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database
-      when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')"
-
-    - name: Inject warning if still on SQLite
+    - name: Inject warning if on an old SQLite-supporting version
      set_fact:
        matrix_playbook_runtime_results: |
          {{
            matrix_playbook_runtime_results|default([])
            +
            [
-              "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database"
+              "NOTE: Your mautrix-facebook bridge is still on SQLite and on the last version that supported it, before support was dropped. Support has been subsequently re-added in v0.3.2, so we advise you to upgrade (by removing your `matrix_mautrix_facebook_docker_image` definition from vars.yml)"
            ]
          }}
-  when: "matrix_mautrix_facebook_database_engine == 'sqlite'"
+  when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')"
--- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables
 matrix_mautrix_googlechat_database_engine: 'sqlite'

 matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"
--- a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml
@ -85,6 +85,7 @@
  service:
    name: matrix-mautrix-googlechat
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mautrix_googlechat_stat_database.stat.exists"
--- a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mautrix-googlechat
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_googlechat_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables
 matrix_mautrix_hangouts_database_engine: 'sqlite'

 matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@ -85,6 +85,7 @@
  service:
    name: matrix-mautrix-hangouts
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mautrix_hangouts_stat_database.stat.exists"
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mautrix-hangouts
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_hangouts_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: ''
 # Database-related configuration fields.
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables
 matrix_mautrix_instagram_database_engine: 'postgres'

 matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram'
--- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml
@ -8,6 +8,7 @@
  service:
    name: matrix-mautrix-instagram
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_instagram_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml
@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false
 matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git"
 matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src"

-matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
+matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"

 matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
--- a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml
@ -10,6 +10,7 @@
  service:
    name: matrix-mautrix-signal-daemon
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_signal_daemon_service_stat.stat.exists"

@ -29,6 +30,7 @@
  service:
    name: matrix-mautrix-signal
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_signal_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -15,6 +15,8 @@ homeserver:
    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
@ -32,25 +34,19 @@ appservice:
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

-    # The full URI to the database. Only Postgres is currently supported.
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
    database: {{ matrix_mautrix_signal_database_connection_string }}
-    # Additional arguments for asyncpg.create_pool()
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
    database_opts:
        min_size: 5
        max_size: 10

-    # Provisioning API part of the web server for automated portal creation and fetching information.
-    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
-    provisioning:
-        # Whether or not the provisioning API should be enabled.
-        enabled: true
-        # The prefix to use in the provisioning API endpoints.
-        prefix: /_matrix/provision/v1
-        # The shared secret to authorize users of the API.
-        # Set to "generate" to generate and save a new token.
-        shared_secret: generate
-
    # The unique ID of this appservice.
    id: signal
    # Username of the appservice bot.
@ -66,7 +62,12 @@ appservice:
    # Example: "+signal:example.com". Set to false to disable.
    community_id: false

-    # Authentication tokens for AS <-> HS communication.
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: false
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ matrix_mautrix_signal_appservice_token }}"
    hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"

@ -75,6 +76,17 @@ metrics:
    enabled: false
    listen_port: 8000

+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-signal.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+    - 0
+
 signal:
    # Path to signald unix socket
    socket_path: /signald/signald.sock
@ -91,6 +103,8 @@ signal:
    delete_unknown_accounts_on_start: false
    # Whether or not message attachments should be removed from disk after they're bridged.
    remove_file_after_handling: true
+    # Whether or not users can register a primary device
+    registration_enabled: true

 # Bridge config
 bridge:
@ -102,6 +116,7 @@ bridge:
    # available variable in displayname_preference. The variables in displayname_preference
    # can also be used here directly.
    displayname_template: "{displayname} (Signal)"
+    # Whether or not contact list displaynames should be used.
    # Possible values: disallow, allow, prefer
    #
    # Multi-user instances are recommended to disallow contact list names, as otherwise there can
@ -140,7 +155,7 @@ bridge:
    # If false, created portal rooms will never be federated.
    federate_rooms: true
    # End-to-bridge encryption support options. You must install the e2be optional dependency for
-    # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html
+    # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: false
@ -173,12 +188,38 @@ bridge:
    # This field will automatically be changed back to false after it,
    # except if the config file is not writable.
    resend_bridge_info: false
-    # Interval at which to resync contacts.
+    # Interval at which to resync contacts (in seconds).
    periodic_sync: 0

+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: true
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision/v1
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!signal"

+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Signal bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `register` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+
    # Permissions for using the bridge.
    # Permitted values:
    #      relay - Allowed to be relayed through the bridge, no access to commands.
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false
 matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

-matrix_mautrix_telegram_version: v0.10.1
+matrix_mautrix_telegram_version: v0.10.2
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables
 matrix_mautrix_telegram_database_engine: 'sqlite'

 matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -107,6 +107,7 @@
  service:
    name: matrix-mautrix-telegram
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mautrix_telegram_stat_database.stat.exists"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mautrix-telegram
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_telegram_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@ -36,14 +36,13 @@ matrix_mautrix_whatsapp_homeserver_token: ''

 matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot

-
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables
 matrix_mautrix_whatsapp_database_engine: 'sqlite'

 matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
@ -71,9 +70,14 @@ matrix_mautrix_whatsapp_appservice_database_uri: "{{
 	}[matrix_mautrix_whatsapp_database_engine]
 }}"

-
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_whatsapp_login_shared_secret: ''
+matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
+  "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}"
+
+# Servers to always allow double puppeting from
+matrix_mautrix_whatsapp_bridge_double_puppet_server_map:
+    "{{ matrix_mautrix_whatsapp_homeserver_domain :  matrix_mautrix_whatsapp_homeserver_address }}"

 # Default mautrix-whatsapp configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -93,6 +93,7 @@
  service:
    name: matrix-mautrix-whatsapp
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mautrix_whatsapp_stat_database.stat.exists"
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mautrix-whatsapp
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mautrix_whatsapp_service_stat.stat.exists"

--- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
@ -7,15 +7,17 @@ homeserver:
    domain: {{ matrix_mautrix_whatsapp_homeserver_domain }}
 # Application service host/registration related details.
 # Changing these values requires regeneration of the registration.
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: "null"

 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_whatsapp_appservice_address }}
-
    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 8080
-
    # Database config.
    database:
        # The database type. "sqlite3" and "postgres" are supported.
@ -27,10 +29,6 @@ appservice:
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
-
-    # Path to the Matrix room state store.
-    state_store_path: ./mx-state.json
-
    # The unique ID of this appservice.
    id: whatsapp
    # Appservice bot details.
@ -41,7 +39,6 @@ appservice:
        # to leave display name/avatar as-is.
        displayname: WhatsApp bridge bot
        avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
-
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}"
    hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}"
@ -51,79 +48,137 @@ bridge:
    # Localpart template of MXIDs for WhatsApp users.
    # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user.
    username_template: "{{ 'whatsapp_{{.}}' }}"
-    # Displayname template for WhatsApp users.
-    # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user
-    # {{ '{{.Jid}}' }}    - phone number (international format)
-    # The following variables are also available, but will cause problems on multi-user instances:
-    # {{ '{{.Name}}' }}   - display name from contact list
-    # {{ '{{.Short}}' }}  - short display name from contact list
-    displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}"
-    # WhatsApp connection timeout in seconds.
-    connection_timeout: 20
-    # Maximum number of times to retry connecting on connection error.
-    max_connection_attempts: 3
-    # Number of seconds to wait between connection attempts.
-    # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts
-    connection_retry_delay: -1
-    # Whether or not the bridge should send a notice to the user's management room when it retries connecting.
-    # If false, it will only report when it stops retrying.
-    report_connection_retry: true
-    # Maximum number of seconds to wait for chats to be sent at startup.
-    # If this is too low and you have lots of chats, it could cause backfilling to fail.
-    chat_list_wait: 30
-    # Maximum number of seconds to wait to sync portals before force unlocking message processing.
-    # If this is too low and you have lots of chats, it could cause backfilling to fail.
-    portal_sync_wait: 600
-
-    # Whether or not to send call start/end notices to Matrix.
-    call_notices:
-        start: true
-        end: true
-
-    # Number of chats to sync for new users.
-    initial_chat_sync_count: 10
-    # Number of old messages to fill when creating new portal rooms.
-    initial_history_fill_count: 20
-    # Maximum number of chats to sync when recovering from downtime.
-    # Set to -1 to sync all new chats during downtime.
-    recovery_chat_sync_limit: -1
-    # Whether or not to sync history when recovering from downtime.
-    recovery_history_backfill: true
-    # Maximum number of seconds since last message in chat to skip
-    # syncing the chat in any case. This setting will take priority
-    # over both recovery_chat_sync_limit and initial_chat_sync_count.
-    # Default is 3 days = 259200 seconds
-    sync_max_chat_age: 259200
-
-    # Whether or not to sync with custom puppets to receive EDUs that
-    # are not normally sent to appservices.
+    displayname_template: "{{ '{{if .PushName}}{{.PushName}}{{else if .BusinessName}}{{.BusinessName}}{{else}}{{.JID}}{{end}} (WA)' }}"
+    # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
+    delivery_receipts: false
+    # Should incoming calls send a message to the Matrix room?
+    call_start_notices: true
+    # Should another user's cryptographic identity changing send a message to Matrix?
+    identity_change_notices: false
+    # Should a "reactions not yet supported" warning be sent to the Matrix room when a user reacts to a message?
+    reaction_notices: true
+    portal_message_buffer: 128
+    # Settings for handling history sync payloads. These settings only apply right after login,
+    # because the phone only sends the history sync data once, and there's no way to re-request it
+    # (other than logging out and back in again).
+    history_sync:
+        # Should the bridge create portals for chats in the history sync payload?
+        create_portals: true
+        # Maximum age of chats in seconds to create portals for. Set to 0 to create portals for all chats in sync payload.
+        max_age: 604800
+        # Enable backfilling history sync payloads from WhatsApp using batch sending?
+        # This requires a server with MSC2716 support, which is currently an experimental feature in synapse.
+        # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
+        # Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers.
+        backfill: false
+        # Use double puppets for backfilling?
+        # In order to use this, the double puppets must be in the appservice's user ID namespace
+        # (because the bridge can't use the double puppet access token with batch sending).
+        # This only affects double puppets on the local server, double puppets on other servers will never be used.
+        # Doesn't work out of box with this playbook
+        double_puppet_backfill: false
+        # Should the bridge request a full sync from the phone when logging in?
+        # This bumps the size of history syncs from 3 months to 1 year.
+        request_full_sync: false
+    user_avatar_sync: true
+    # Should Matrix users leaving groups be bridged to WhatsApp?
+    bridge_matrix_leave: true
+    # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
    sync_with_custom_puppets: true
-    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
+    # Should the bridge update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # When double puppeting is enabled, users can use `!wa toggle` to change whether
+    # presence and read receipts are bridged. These settings set the default values.
+    # Existing users won't be affected when these are changed.
+    default_bridge_receipts: true
+    default_bridge_presence: true
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+        "{{ matrix_mautrix_whatsapp_homeserver_domain }}": {{ matrix_mautrix_whatsapp_homeserver_address }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
-    # If set, custom puppets will be enabled automatically for local users
+    # If set, double puppeting will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
-    login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }}
-
-    # Whether or not to invite own WhatsApp user's Matrix puppet into private
-    # chat portals when backfilling if needed.
-    # This always uses the default puppet instead of custom puppets due to
-    # rate limits and timestamp massaging.
-    invite_own_puppet_for_backfilling: true
-    # Whether or not to explicitly set the avatar and room name for private
-    # chat portal rooms. This can be useful if the previous field works fine,
-    # but causes room avatar/name bugs.
+    login_shared_secret_map: {{ matrix_mautrix_whatsapp_bridge_login_shared_secret_map|to_json }}
+    # Should the bridge explicitly set the avatar and room name for private chat portal rooms?
    private_chat_portal_meta: false
-
+    # Should Matrix m.notice-type messages be bridged?
+    bridge_notices: true
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it, except if the config file is not writable.
+    resend_bridge_info: false
+    # When using double puppeting, should muted chats be muted in Matrix?
+    mute_bridging: false
+    # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+    # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
+    # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+    archive_tag: null
+    # Same as above, but for pinned chats. The favorite tag is called m.favourite
+    pinned_tag: null
+    # Should mute status and tags only be bridged when the portal room is created?
+    tag_only_on_create: true
+    # Should WhatsApp status messages be bridged into a Matrix room?
+    # Disabling this won't affect already created status broadcast rooms.
+    enable_status_broadcast: true
+    # Should the status broadcast room be muted and moved into low priority by default?
+    # This is only applied when creating the room, the user can unmute/untag it later.
+    mute_status_broadcast: true
+    # Should the bridge use thumbnails from WhatsApp?
+    # They're disabled by default due to very low resolution.
+    whatsapp_thumbnail: false
    # Allow invite permission for user. User can invite any bots to room with whatsapp
    # users (private chat and groups)
    allow_user_invite: false
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: true

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!wa"

+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a WhatsApp bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `login` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: false
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        # It is recommended to also set private_chat_portal_meta to true when using this.
+        default: false
+        # Options for automatic key sharing.
+        key_sharing:
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow: false
+            # Require the requesting device to have a valid cross-signing signature?
+            # This doesn't require that the bridge has verified the device, only that the user has verified it.
+            # Not yet implemented.
+            require_cross_signing: false
+            # Require devices to be verified by the bridge?
+            # Verification by the bridge is not yet implemented.
+            require_verification: true
+
    # Permissions for using the bridge.
    # Permitted values:
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
    #     user - Access to use the bridge to chat with a WhatsApp account.
    #    admin - User level and some additional administration tools
    # Permitted keys:
@ -133,15 +188,13 @@ bridge:
    permissions:
        "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user

-    relaybot:
-        # Whether or not relaybot support is enabled.
+    # Settings for relay mode
+    relay:
+        # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
+        # authenticated user into a relaybot for that chat.
        enabled: false
-        # The management room for the bot. This is where all status notifications are posted and
-        # in this room, you can use `!wa <command>` instead of `!wa relaybot <command>`. Omitting
-        # the command prefix completely like in user management rooms is not possible.
-        management: '!foo:example.com'
-        # List of users to invite to all created rooms that include the relaybot.
-        invites: []
+        # Should only admins be allowed to set themselves as relay users?
+        admin_only: true
        # The formats to use when sending messages to WhatsApp via the relaybot.
        message_formats:
            m.text: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
@ -152,6 +205,7 @@ bridge:
            m.audio: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an audio file"
            m.video: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a video"
            m.location: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a location"
+
 # Logging config.
 logging:
    # The directory for log files. Will be created if not found.
--- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url
 matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}'

+matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}"
+
 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver
 # "@.*" to allow anyone
--- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-discord
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_discord_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
@ -9,17 +9,17 @@ bridge:
  domain: {{ matrix_mx_puppet_discord_homeserver_domain }}
  # Reachable URL of the Matrix homeserver
  homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }}
+  # Optionally specify a different media URL used for the media store
+  #
+  # This is where Discord will download user profile pictures and media
+  # from
+  mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }}
  {% if matrix_mx_puppet_discord_login_shared_secret != '' %}
  loginSharedSecretMap:
    {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }}
  {% endif %}
  # Display name of the bridge bot
  displayname: Discord Puppet Bridge
-  # Optionally specify a different media URL used for the media store
-  #
-  # This is where Discord will download user profile pictures and media
-  # from
-  #mediaUrl: https://external-url.org

 presence:
  # Bridge Discord online/offline status
--- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml
@ -31,6 +31,7 @@
  service:
    name: matrix-mx-puppet-groupme
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_groupme_stat_database.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-groupme
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_groupme_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-instagram
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_instagram_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
@ -31,6 +31,7 @@
  service:
    name: matrix-mx-puppet-skype
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_skype_stat_database.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-skype
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_skype_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
@ -31,6 +31,7 @@
  service:
    name: matrix-mx-puppet-slack
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_slack_stat_database.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-slack
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_slack_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml
@ -31,6 +31,7 @@
  service:
    name: matrix-mx-puppet-steam
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-steam
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_steam_service_stat.stat.exists"

--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml
@ -31,6 +31,7 @@
  service:
    name: matrix-mx-puppet-twitter
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-mx-puppet-twitter
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_mx_puppet_twitter_service_stat.stat.exists"

--- a/roles/matrix-bridge-sms/defaults/main.yml
+++ b/roles/matrix-bridge-sms/defaults/main.yml
@ -26,7 +26,7 @@ matrix_sms_bridge_systemd_wanted_services_list: []

 matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080'
 matrix_sms_bridge_homeserver_hostname: 'matrix-synapse'
-matrix_sms_bridge_homeserver_port: '8008'
+matrix_sms_bridge_homeserver_port: ""

 matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}"
 matrix_sms_bridge_default_room: ''
--- a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml
@ -9,6 +9,7 @@
  service:
    name: matrix-sms-bridge
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_sms_bridge_service_stat.stat.exists"

@ -16,4 +17,4 @@
  file:
    path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service"
    state: absent
-  when: "matrix_sms_bridge_service_stat.stat.exists"
+  when: "matrix_sms_bridge_service_stat.stat.exists"
--- a/roles/matrix-bridge-sms/tasks/validate_config.yml
+++ b/roles/matrix-bridge-sms/tasks/validate_config.yml
@ -7,6 +7,7 @@
  when: "vars[item] == ''"
  with_items:
    - "matrix_sms_bridge_appservice_token"
+    - "matrix_sms_bridge_homeserver_port"
    - "matrix_sms_bridge_homeserver_token"
    - "matrix_sms_bridge_default_region"
    - "matrix_sms_bridge_default_timezone"
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -2,8 +2,12 @@ matrix_client_element_enabled: true

 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
+# Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM):
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
+# - https://github.com/vector-im/element-web/issues/19544
+matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"

-matrix_client_element_version: v1.9.3
+matrix_client_element_version: v1.9.7
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-client-element/tasks/main.yml
+++ b/roles/matrix-client-element/tasks/main.yml
@ -20,8 +20,14 @@
    - setup-all
    - setup-client-element

- import_tasks: "{{ role_path }}/tasks/setup.yml"
-  when: run_setup|bool
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_client_element_enabled|bool"
+  tags:
+    - setup-all
+    - setup-client-element
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_client_element_enabled|bool"
  tags:
    - setup-all
    - setup-client-element
--- a/roles/matrix-client-element/tasks/migrate_riot_web.yml
+++ b/roles/matrix-client-element/tasks/migrate_riot_web.yml
@ -10,6 +10,7 @@
  service:
    name: matrix-riot-web
    state: stopped
+    enabled: no
    daemon_reload: yes
  register: stopping_result
  when: "matrix_client_element_enabled|bool and matrix_client_riot_web_service_stat.stat.exists"
--- a/roles/matrix-client-element/tasks/setup_install.yml
+++ b/roles/matrix-client-element/tasks/setup_install.yml
@ -1,9 +1,5 @@
 ---

-#
-# Tasks related to setting up Element
-#
-
 - name: Ensure Element paths exists
  file:
    path: "{{ item.path }}"
@ -14,7 +10,7 @@
  with_items:
    - { path: "{{ matrix_client_element_data_path }}", when: true }
    - { path: "{{ matrix_client_element_docker_src_files_path }}", when: "{{ matrix_client_element_container_image_self_build }}" }
-  when: matrix_client_element_enabled|bool and item.when
+  when: "item.when|bool"

 - name: Ensure Element Docker image is pulled
  docker_image:
@ -22,7 +18,7 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_client_element_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_docker_image_force_pull }}"
-  when: matrix_client_element_enabled|bool and not matrix_client_element_container_image_self_build
+  when: "not matrix_client_element_container_image_self_build|bool"

 - name: Ensure Element repository is present on self-build
  git:
@ -31,7 +27,21 @@
    version: "{{ matrix_client_element_docker_image.split(':')[1] }}"
    force: "yes"
  register: matrix_client_element_git_pull_results
-  when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool"
+  when: "matrix_client_element_container_image_self_build|bool"
+
+# See:
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
+# - https://github.com/vector-im/element-web/issues/19544
+- name: Patch webpack.config.js to support building on low-memory (<4G RAM) devices
+  lineinfile:
+    path: "{{ matrix_client_element_docker_src_files_path }}/webpack.config.js"
+    regexp: '(\s+)splitChunks: \{'
+    line: '\1splitChunks: { maxSize: 100000,'
+    backrefs: yes
+    owner: root
+    group: root
+    mode: '0644'
+  when: "matrix_client_element_container_image_self_build|bool and matrix_client_element_container_image_self_build_low_memory_system_patch_enabled|bool"

 - name: Ensure Element Docker image is built
  docker_image:
@ -43,7 +53,7 @@
      dockerfile: Dockerfile
      path: "{{ matrix_client_element_docker_src_files_path }}"
      pull: yes
-  when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool"
+  when: "matrix_client_element_container_image_self_build|bool"

 - name: Ensure Element configuration installed
  copy:
@ -52,7 +62,6 @@
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
-  when: matrix_client_element_enabled|bool

 - name: Ensure Element config files installed
  template:
@ -65,7 +74,7 @@
    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
    - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
    - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
-  when: "matrix_client_element_enabled|bool and item.src is not none"
+  when: "item.src is not none"

 - name: Ensure Element config files removed
  file:
@ -73,7 +82,7 @@
    state: absent
  with_items:
    - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
-  when: "matrix_client_element_enabled|bool and item.src is none"
+  when: "item.src is none"

 - name: Ensure matrix-client-element.service installed
  template:
@ -81,50 +90,8 @@
    dest: "{{ matrix_systemd_path }}/matrix-client-element.service"
    mode: 0644
  register: matrix_client_element_systemd_service_result
-  when: matrix_client_element_enabled|bool

 - name: Ensure systemd reloaded after matrix-client-element.service installation
  service:
    daemon_reload: yes
-  when: "matrix_client_element_enabled and matrix_client_element_systemd_service_result.changed"
-
-#
-# Tasks related to getting rid of Element (if it was previously enabled)
-#
-
- name: Check existence of matrix-client-element.service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-client-element.service"
-  register: matrix_client_element_service_stat
-  when: "not matrix_client_element_enabled|bool"
-
- name: Ensure matrix-client-element is stopped
-  service:
-    name: matrix-client-element
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists"
-
- name: Ensure matrix-client-element.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-client-element.service"
-    state: absent
-  when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists"
-
- name: Ensure systemd reloaded after matrix-client-element.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists"
-
- name: Ensure Element paths doesn't exist
-  file:
-    path: "{{ matrix_client_element_data_path }}"
-    state: absent
-  when: "not matrix_client_element_enabled|bool"
-
- name: Ensure Element Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_client_element_docker_image }}"
-    state: absent
-  when: "not matrix_client_element_enabled|bool"
+  when: "matrix_client_element_systemd_service_result.changed|bool"
--- a/roles/matrix-client-element/tasks/setup_uninstall.yml
+++ b/roles/matrix-client-element/tasks/setup_uninstall.yml
@ -0,0 +1,36 @@
+---
+
+- name: Check existence of matrix-client-element.service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-client-element.service"
+  register: matrix_client_element_service_stat
+
+- name: Ensure matrix-client-element is stopped
+  service:
+    name: matrix-client-element
+    state: stopped
+    enabled: no
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_client_element_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-client-element.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-client-element.service"
+    state: absent
+  when: "matrix_client_element_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-client-element.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_client_element_service_stat.stat.exists|bool"
+
+- name: Ensure Element paths doesn't exist
+  file:
+    path: "{{ matrix_client_element_data_path }}"
+    state: absent
+
+- name: Ensure Element Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_client_element_docker_image }}"
+    state: absent
--- a/roles/matrix-client-hydrogen/defaults/main.yml
+++ b/roles/matrix-client-hydrogen/defaults/main.yml
@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true
 matrix_client_hydrogen_container_image_self_build: true
 matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"

-matrix_client_hydrogen_version: v0.2.7
+matrix_client_hydrogen_version: v0.2.19
 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
 matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
 matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
--- a/roles/matrix-client-hydrogen/tasks/main.yml
+++ b/roles/matrix-client-hydrogen/tasks/main.yml
@ -8,8 +8,14 @@
    - setup-all
    - setup-client-hydrogen

- import_tasks: "{{ role_path }}/tasks/setup.yml"
-  when: run_setup|bool
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_client_hydrogen_enabled|bool"
+  tags:
+    - setup-all
+    - setup-client-hydrogen
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_client_hydrogen_enabled|bool"
  tags:
    - setup-all
    - setup-client-hydrogen
--- a/roles/matrix-client-hydrogen/tasks/setup_install.yml
+++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml
@ -1,9 +1,5 @@
 ---

-#
-# Tasks related to setting up Hydrogen
-#
-
 - name: Ensure Hydrogen paths exists
  file:
    path: "{{ item.path }}"
@ -14,7 +10,7 @@
  with_items:
    - { path: "{{ matrix_client_hydrogen_data_path }}", when: true }
    - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" }
-  when: matrix_client_hydrogen_enabled|bool and item.when
+  when: "item.when|bool"

 - name: Ensure Hydrogen Docker image is pulled
  docker_image:
@ -22,7 +18,7 @@
   source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
   force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
   force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}"
-  when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build
+  when: "not matrix_client_hydrogen_container_image_self_build|bool"

 - name: Ensure Hydrogen repository is present on self-build
  git:
@ -31,7 +27,7 @@
    version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}"
    force: "yes"
  register: matrix_client_hydrogen_git_pull_results
-  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+  when: "matrix_client_hydrogen_container_image_self_build|bool"

 - name: Ensure Hydrogen configuration installed
  copy:
@ -40,7 +36,7 @@
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
-  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+  when: "matrix_client_hydrogen_container_image_self_build|bool"

 - name: Ensure Hydrogen additional config files installed
  template:
@ -51,7 +47,7 @@
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
-  when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
+  when: "item.src is not none"

 # This step MUST come after the steps to install the configuration files because the config files
 # are currently only read at build time, not at run time like most other components in the playbook
@ -64,7 +60,7 @@
      dockerfile: Dockerfile
      path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
      pull: yes
-  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+  when: "matrix_client_hydrogen_container_image_self_build|bool"

 - name: Ensure matrix-client-hydrogen.service installed
  template:
@ -72,50 +68,8 @@
    dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
    mode: 0644
  register: matrix_client_hydrogen_systemd_service_result
-  when: matrix_client_hydrogen_enabled|bool

 - name: Ensure systemd reloaded after matrix-client-hydrogen.service installation
  service:
    daemon_reload: yes
-  when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed"
-
-#
-# Tasks related to getting rid of Hydrogen (if it was previously enabled)
-#
-
- name: Check existence of matrix-client-hydrogen.service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
-  register: matrix_client_hydrogen_service_stat
-  when: "not matrix_client_hydrogen_enabled|bool"
-
- name: Ensure matrix-client-hydrogen is stopped
-  service:
-    name: matrix-client-hydrogen
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
-
- name: Ensure matrix-client-hydrogen.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
-    state: absent
-  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
-
- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
-
- name: Ensure Hydrogen paths doesn't exist
-  file:
-    path: "{{ matrix_client_hydrogen_data_path }}"
-    state: absent
-  when: "not matrix_client_hydrogen_enabled|bool"
-
- name: Ensure Hydrogen Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_client_hydrogen_docker_image }}"
-    state: absent
-  when: "not matrix_client_hydrogen_enabled|bool"
+  when: "matrix_client_hydrogen_systemd_service_result.changed|bool"
--- a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml
+++ b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml
@ -0,0 +1,36 @@
+---
+
+- name: Check existence of matrix-client-hydrogen.service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
+  register: matrix_client_hydrogen_service_stat
+
+- name: Ensure matrix-client-hydrogen is stopped
+  service:
+    name: matrix-client-hydrogen
+    state: stopped
+    enabled: no
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_client_hydrogen_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-client-hydrogen.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
+    state: absent
+  when: "matrix_client_hydrogen_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_client_hydrogen_service_stat.stat.exists|bool"
+
+- name: Ensure Hydrogen paths doesn't exist
+  file:
+    path: "{{ matrix_client_hydrogen_data_path }}"
+    state: absent
+
+- name: Ensure Hydrogen Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_client_hydrogen_docker_image }}"
+    state: absent
--- a/roles/matrix-common-after/tasks/awx_post.yml
+++ b/roles/matrix-common-after/tasks/awx_post.yml
@ -1,8 +1,8 @@
 ---

- name: Create user account @janitor
+- name: Create user account @_janitor
  command: |
-    /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1
+    /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1
  register: cmd
  when: not awx_janitor_user_created|bool
  no_log: True
@ -18,9 +18,9 @@
    'awx_janitor_user_created': 'true'
  when: not awx_janitor_user_created|bool

- name: Create user account @dimension
+- name: Create user account @_dimension
  command: |
-    /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0
  register: cmd
  when: not awx_dimension_user_created|bool
  no_log: True
@ -36,9 +36,9 @@
    'awx_dimension_user_created': 'true'
  when: not awx_dimension_user_created|bool

- name: Create user account @mjolnir
+- name: Create user account @_mjolnir
  command: |
-    /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0
  register: cmd
  when: not awx_mjolnir_user_created|bool
  no_log: True
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

-matrix_corporal_version: 2.1.2
+matrix_corporal_version: 2.2.2
 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
@ -36,7 +36,7 @@ matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"

 matrix_corporal_matrix_homeserver_domain_name: "{{ matrix_domain }}"

-# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008").
+# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}").
 # If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`.
 matrix_corporal_matrix_homeserver_api_endpoint: ""

--- a/roles/matrix-corporal/tasks/setup_corporal.yml
+++ b/roles/matrix-corporal/tasks/setup_corporal.yml
@ -83,6 +83,7 @@
  service:
    name: matrix-corporal
    state: stopped
+    enabled: no
    daemon_reload: yes
  register: stopping_result
  when: "not matrix_corporal_enabled|bool and matrix_corporal_service_stat.stat.exists"
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

-matrix_coturn_version: 4.5.2-r4
+matrix_coturn_version: 4.5.2-r8
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
--- a/roles/matrix-coturn/tasks/setup_uninstall.yml
+++ b/roles/matrix-coturn/tasks/setup_uninstall.yml
@ -10,6 +10,7 @@
  service:
    name: matrix-coturn
    state: stopped
+    enabled: no
    daemon_reload: yes
  when: "matrix_coturn_service_stat.stat.exists|bool"

@ -17,6 +18,7 @@
  service:
    name: matrix-coturn
    state: stopped
+    enabled: no
    daemon_reload: yes
  failed_when: false
  when: "matrix_coturn_service_stat.stat.exists|bool"
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@ -10,10 +10,16 @@ matrix_dimension_admins: []
 # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates
 matrix_dimension_widgets_allow_self_signed_ssl_certificates: false

+matrix_dimension_container_image_self_build: false
+matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git"
+matrix_dimension_container_image_self_build_branch: master
+
 matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
+matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension"

 matrix_dimension_version: latest
-matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"

 # List of systemd services that matrix-dimension.service depends on.
@ -39,7 +45,7 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
 matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"

-matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048"
+matrix_dimension_homeserver_federationUrl: ""


 # Database-related configuration fields.
@ -48,7 +54,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048"
 #
 # To use Postgres:
 # - change the engine (`matrix_dimension_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_dimension_postgres_*` variables
+# - adjust your database credentials via the `matrix_dimension_database_*` variables
 matrix_dimension_database_engine: 'sqlite'

 matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db"
--- a/roles/matrix-dimension/tasks/setup_install.yml
+++ b/roles/matrix-dimension/tasks/setup_install.yml
@ -90,6 +90,29 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
+  when: "not matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_pull_results
+
+- name: Ensure dimension repository is present on self-build
+  git:
+    repo: "{{ matrix_dimension_container_image_self_build_repo }}"
+    dest: "{{ matrix_dimension_docker_src_files_path }}"
+    version: "{{ matrix_dimension_container_image_self_build_branch }}"
+    force: "yes"
+  when: "matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_git_pull_results
+
+- name: Ensure Dimension Docker image is built
+  docker_image:
+    name: "{{ matrix_dimension_docker_image }}"
+    source: build
+    force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_dimension_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_dimension_container_image_self_build|bool"

 - name: Ensure matrix-dimension.service installed
  template:
--- a/Show More
+++ b/Show More