Commit Graph

6233 Commits

Author SHA1 Message Date
Slavi Pantaleev 94d8e28306 Support readonly datastores for matrix-media-repo
The configuration template only rendered a datastore when its for_kinds
list was non-empty, even though the inline documentation (matching
upstream's) describes forKinds: [] as the way to make a datastore
readonly. That made the documented migration scenario impossible: moving
media between the file and s3 datastores while keeping the old one
readable.

Introduce matrix_media_repo_datastore_file_enabled and
matrix_media_repo_datastore_s3_enabled, which default to the previous
kinds-based behavior. A readonly datastore is now expressed by enabling
the datastore explicitly while assigning it no kinds.

Fixes #4303

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 21:17:09 +03:00
Slavi Pantaleev 6b4b7647e4 Fix synapse-usage-exporter self-build failing on git ownership checks
synapse-usage-exporter is self-built by default (no upstream image is
published), so every user enabling it runs the git clone/update task. A
docker-src checkout whose files are owned by a different user (e.g. left
behind by an earlier clone) made that task fail: either with a
permission error, or with git's dubious-ownership protection, which
ignores the repository's own configuration and surfaces as a confusing
"'origin' does not appear to be a git repository" error.

Ensure the checkout's ownership recursively before updating it, and mark
the path as a safe.directory for the git invocation itself (via
GIT_CONFIG_* environment variables), so the ownership check cannot
misfire regardless of which user git effectively runs as.

Fixes #5065

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 19:25:34 +03:00
Slavi Pantaleev 2d436491c6 Escape mautrix-meta username prefix in registration regexes
The user-namespace regexes in the mautrix-meta-messenger and
mautrix-meta-instagram registration templates interpolated
the bridge username prefix without regex-escaping it, unlike the
neighboring homeserver domain and appservice username values. The
default prefixes are regex-safe, but a customized prefix containing
regex metacharacters would produce a wrong (too broad or invalid)
appservice user namespace.

Related to the registration regex discussion in #5096.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:34:31 +03:00
Slavi Pantaleev 8b9fe4ce37 Make Element welcome page text readable on the dark theme
The playbook-shipped welcome.html hardcoded #2e2f32 for the headline and
welcome text, which is nearly invisible on the dark background Element
renders when the dark theme is active. Element Web's default
use_system_theme behavior keys the theme off the system color scheme, so
switch the text to Element's dark-theme text color (#ebeef2) under a
prefers-color-scheme: dark media query.

Fixes #4838

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:33:55 +03:00
Slavi Pantaleev a4915c0b9e Remove never-implemented appservice-discord self-build variable
matrix_appservice_discord_container_image_self_build only switched the
image registry prefix to localhost/, but the role never had any build
tasks, so enabling it always ended in an image pull failure. Remove the
variable and reject it in validate_config.yml with a hint that the
prebuilt image is amd64-only and that mautrix-discord is the better
option on other architectures.

Fixes #2379

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:03:51 +03:00
Slavi Pantaleev 44cfd16036 Add index label to Synapse worker Prometheus targets
The upstream Synapse Grafana dashboard uses `{{job}}-{{index}}` in its
legends to tell workers apart, but the worker scrape configs only set
instance, worker_id, job and app labels. Without an index label, the
dashboard legends collapsed and workers could not be distinguished.

Derive the index label from the worker id (its per-type index is the
first number in the id, e.g. federation-sender-1, stream-writer-2-events),
matching the index label already set on the main process target.

Fixes #2158
Fixes #2159

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi Pantaleev b32272ef40 Add CORS header to Element's map_style.json for Element Desktop
Element Desktop (Electron) loads the location-sharing map style from a
`vector://vector` origin, so fetching map_style.json from the Element
domain is a cross-origin request. Without an Access-Control-Allow-Origin
header, the request is blocked and maps fail to load with "This homeserver
is not configured correctly to display maps".

Add a dedicated Traefik router for map_style.json that attaches an
Access-Control-Allow-Origin header (configurable via
matrix_client_element_location_sharing_map_style_access_control_allow_origin,
defaulting to `*`). It is only defined when location sharing is enabled.

Fixes #2291

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
renovate[bot] f8ea906c19 Update forgejo.ellis.link/continuwuation/continuwuity Docker tag to v26.6.2 2026-07-13 07:16:44 +03:00
Slavi Pantaleev 7d2a2c40c9 Add matrix_matrixto_container_labels_watchtower_skip_enabled
Attaches a com.centurylinklabs.watchtower.enable=false label to the
matrix-matrixto container by default, telling Watchtower (if in use)
to skip it. The image is built locally from source, so Watchtower
cannot update it and merely produces 'digest retrieval failed' errors
on every run.

A dedicated variable is used (instead of pre-filling
matrix_matrixto_container_labels_additional_labels) so that people
overriding the additional-labels variable do not lose the label.

Fixes #4820

Based on the report and initial patch in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4821 by @der-domi

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:37:12 +03:00
renovate[bot] 0f7f60372f Update matrixdotorg/sygnal Docker tag to v0.17.0 (#4794)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-07-12 15:18:56 +03:00
Slavi Pantaleev fc473797cd Disable broken container healthcheck for matrix-sygnal
The sygnal container images (since v0.16.0) hardcode a HEALTHCHECK which
relies on curl, but the image does not include curl, so the healthcheck
can never pass. See https://github.com/element-hq/sygnal/issues/326

This unblocks upgrading sygnal past v0.15.1.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 15:17:48 +03:00
Slavi Pantaleev b57ac50c81 Merge pull request #5288 from luixxiul/remove-matrix-bot-matrix-registration-bot
Remove matrix-registration-bot
2026-07-12 14:49:12 +03:00
Slavi Pantaleev 19a775ef7e Upgrade Continuwuity (v0.5.10 -> v26.6.1) and re-sync its config template
This is a major upgrade which performs a one-way database migration
and removes LDAP support upstream.

The continuwuity.toml.j2 template is re-synced with the v26.6.1 example
config. Notably, registration_token is now only rendered when non-empty,
because v26+ refuses to start when it is set to an empty string.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 14:43:17 +03:00
renovate[bot] c24bcc8158 Update ghcr.io/matrix-construct/tuwunel Docker tag to v1.8.1 2026-07-11 06:06:34 +03:00
Suguru Hirahara 2c57bd3b90 Update validate_config.yml
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:06:27 -04:00
Suguru Hirahara 8f3e76597f Remove roles/custom/matrix-bot-matrix-registration-bot
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:05:18 -04:00
renovate[bot] c4012389d4 Update ghcr.io/element-hq/matrix-authentication-service Docker tag to v1.20.0 2026-07-09 20:38:01 +03:00
renovate[bot] 22d6fd0be2 Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.7.8 2026-07-08 14:00:43 +03:00
renovate[bot] 373bf99c86 Update ghcr.io/element-hq/synapse Docker tag to v1.156.0 2026-07-07 21:59:51 +03:00
krassle b463dd02bb [Element] Fix missing background URL on welcome, login & register pages
- Updated `welcome_background_url` to upstream default *lake.jpg* for the official Matrix Client Element.
- Provoked by: [Convert welcome.html to React component](https://github.com/element-hq/element-web/commit/4b4289e211c12ea0ebb885d570cfa6b7c29dac86)
2026-07-07 20:30:23 +03:00
renovate[bot] 044dbc5de5 Update ghcr.io/element-hq/element-web Docker tag to v1.12.23 2026-07-07 20:20:54 +03:00
renovate[bot] d1d116b519 Update ghcr.io/element-hq/element-call Docker tag to v0.21.0 2026-07-07 20:19:59 +03:00
cksit ee1cd217a8 Add Synology DSM support (#5315)
Adds optional support for running the playbook on Synology DSM 7+, detected
automatically via /etc/synoinfo.conf so that non-Synology hosts are unaffected.

Includes DSM-native user/group management (synouser/synogroup), a requests
version constraint for Docker SDK compatibility, and a boot-fix service that
re-shares the volume mount and starts matrix services skipped by DSM's boot
ordering. The shared-mount volume path is configurable via
matrix_base_synology_volume_path, and the make-shared step only runs when the
volume is not already shared.

Co-authored-by: CKSit <sitchiuki@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 19:45:01 +03:00
renovate[bot] b897b45191 Update ghcr.io/element-hq/element-call Docker tag to v0.20.3 2026-06-29 19:26:21 +03:00
renovate[bot] 693fbb08aa Update ghcr.io/etkecc/baibot Docker tag to v1.25.0 2026-06-29 19:26:12 +03:00
Slavi Pantaleev 1789ea2083 mautrix-telegram: stop flagging matrix_mautrix_telegram_scheme as a removed variable
The bridgev2 (Go) rewrite removed matrix_mautrix_telegram_scheme (the old
Python bridge's public web-login endpoint scheme) and added a deprecation
check for it. We later reintroduced a variable of the same name to configure
the bridge's HTTP API exposure address, but the deprecation entry remained.

Because the check matches any defined variable (via ansible.builtin.varnames),
not just user-set ones, it tripped for every install with the Telegram bridge
enabled, even when the user never set it.

Drop the deprecation entry, since the variable is a current one again. The
related (still removed) matrix_mautrix_telegram_hostname and
matrix_mautrix_telegram_path_prefix entries are kept.

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5368
Regression since d2252db4fe

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 19:06:29 +03:00
Slavi Pantaleev 4aca22dd96 matrix-static-files: advertise exposed mautrix bridges via /.well-known/matrix/mautrix
Emit a /.well-known/matrix/mautrix file listing the base URLs of all
enabled and exposed mautrix bridges under the `fi.mau.bridges` property,
so tools like Mautrix Manager (https://github.com/mautrix/manager) can
auto-discover them.

The list is built in group_vars from each bridge's public address and is
gated on the bridge being enabled, the playbook attaching its Traefik
labels, and the exposure router being emitted, so we only advertise URLs
that are actually reachable. The file follows the same auto/custom and
configuration-extension pattern as the other well-known files and is only
written when the list is non-empty.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 17:05:55 +03:00
Slavi Pantaleev 2879a01105 mautrix-slack: expose bridge HTTP API (for mautrix-manager and similar)
Unlike the other mautrix bridges, the mautrix-slack role had no Traefik
label infrastructure at all, so this builds the scaffold first (a new
labels.j2, the container_labels_traefik_* vars, the label-file wiring in
the systemd service and setup_install.yml, and the group_vars wiring),
then exposes the bridge's appservice HTTP API under
https://matrix.<domain>/bridges/slack like the other bridges.

The provisioning shared secret was already auto-generated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 09:08:57 +03:00
Slavi Pantaleev 42c173c0b3 mautrix-meta-messenger: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-messenger`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:17:47 +03:00
Slavi Pantaleev 20a2395403 mautrix-meta-instagram: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-instagram`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:15:57 +03:00
Slavi Pantaleev 1b9b1119a1 mautrix-whatsapp: expose bridge HTTP API (for mautrix-manager and similar)
Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole mautrix-whatsapp HTTP port via Traefik under
`<matrix-fqn>/bridges/whatsapp`, and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:11:30 +03:00
Slavi Pantaleev 2d7058fa59 mautrix-bluesky: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-bluesky HTTP port via Traefik under
`<matrix-fqn>/bridges/bluesky` and populate the existing
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The provisioning shared secret is already auto-generated in
group_vars, so the provisioning API is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:09:43 +03:00
Slavi Pantaleev 44c8736c08 mautrix-twitter: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-twitter HTTP port via Traefik under
`<matrix-fqn>/bridges/twitter` and populate the existing
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The provisioning shared secret is already auto-generated in
group_vars, so the provisioning API is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:08:11 +03:00
Slavi Pantaleev a50e7960d8 mautrix-signal: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-signal HTTP port via Traefik under
`<matrix-fqn>/bridges/signal` and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism. The provisioning shared
secret is already auto-generated in group_vars, so the provisioning API
is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 20:05:18 +03:00
Slavi Pantaleev d2252db4fe mautrix-telegram: expose bridge HTTP API (for mautrix-manager and similar)
Route the whole mautrix-telegram HTTP port via Traefik under
`<matrix-fqn>/bridges/telegram` and populate appservice.public_address,
reusing the matrix_bridges_exposure_* mechanism. The provisioning shared
secret is already auto-generated in group_vars, so the provisioning API
is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 19:56:24 +03:00
Slavi Pantaleev a4ddba3989 mautrix-gmessages: expose bridge HTTP API (for mautrix-manager and similar)
Add a generic mechanism for exposing bridges' HTTP API (the provisioning
API, etc.) publicly on the Matrix domain, so tools like mautrix-manager
(https://github.com/mautrix/manager) can drive bridge login.

- Introduce global matrix_bridges_exposure_* vars (on by default),
  exposing each supported bridge under `<matrix-fqn>/bridges/<bridge>`.
- mautrix-gmessages: make the provisioning shared secret configurable
  (auto-generated in group_vars) so the provisioning API is enabled,
  route the whole bridge HTTP port via Traefik, and populate
  appservice.public_address.

Requests are authenticated by the bridge itself (per-user Matrix access
token for the provisioning API, homeserver token for the appservice
endpoints), not by the reverse proxy.

This is the first bridge converted; the other mautrix bridges will follow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 19:52:24 +03:00
Aine d61979a0b9 baibot: add venice wiring 2026-06-28 19:50:08 +03:00
Slavi Pantaleev e43add179b Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default)
As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway
delivery as well, so surface it as an Ansible variable using the
default/auto/custom merge pattern. The default mirrors tuwunel's own
upstream denylist (RFC1918, loopback, multicast, and other unroutable
ranges), matching the identical list already used for Synapse's
matrix_synapse_url_preview_ip_range_blacklist.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 20:39:16 +03:00
renovate[bot] 129d4e74b4 Update ghcr.io/matrix-construct/tuwunel Docker tag to v1.8.0 2026-06-27 20:17:09 +03:00
renovate[bot] 682eb2c280 Update ghcr.io/etkecc/baibot Docker tag to v1.24.0 2026-06-26 17:30:34 +03:00
Jason LaGuidice 4fae640b6c Add renovate and bump version 2026-06-26 07:05:13 +03:00
renovate[bot] 7bee5f06dc Update oci.element.io/element-admin Docker tag to v0.1.12 2026-06-24 21:44:11 +03:00
renovate[bot] b67f7bd3fe Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.6.24 2026-06-24 16:39:58 +03:00
Slavi Pantaleev 08c733d2e3 matrix-bridge-rustpush: build from upstream's own Dockerfile on self-build
The role shipped its own copy of the bridge's Dockerfile and templated it
over the cloned source before building. That copy had already drifted from
upstream (e.g. missing libheif-plugin-libde265) and required separate
maintenance (Renovate bumping the base image here instead of upstream).

Build from the cloned repo's own Dockerfile instead, matching every other
self-build role (e.g. matrix-bridge-steam). The Dockerfile now tracks the
pinned bridge version automatically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 12:13:04 +03:00
Jason LaGuidice 11cd178cb2 Add matrix-rustpush-bridge (iMessage)
Add the matrix-rustpush-bridge role, a Matrix <-> iMessage bridge built
on the mautrix-go bridgev2 framework using RustPush (OpenBubbles backend).

Unlike the existing mautrix-imessage/wsproxy bridge, it talks directly to
Apple's push notification service, so it needs neither a running Mac nor a
wsproxy on the homeserver. Each user supplies a hardware key extracted from a
Mac through the bridge bot's login flow.

The bridge uses its own bot username and puppet namespace (rustpushbot,
rustpush_*) so it does not collide with the wsproxy iMessage bridge.

This bridge is in early development and may have stability issues.
2026-06-24 11:17:09 +03:00
Aine 6f57ab8ba1 Baibot v1.23.1 <https://github.com/etkecc/baibot/blob/main/CHANGELOG.md#2026-06-24-version-1231> 2026-06-24 07:28:07 +01:00
Slavi Pantaleev 4f00ad9bd4 Add support for additional volumes for the livekit-jwt-service component
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 07:38:22 +03:00
Hollie Hutchinson 753f8ca7db Support additional container arguments for matrix-livekit-jwt 2026-06-24 07:36:36 +03:00
renovate[bot] d06094ffc3 Update ghcr.io/element-hq/element-web Docker tag to v1.12.22 2026-06-24 07:31:58 +03:00
renovate[bot] e3b37ac350 Update ghcr.io/etkecc/baibot Docker tag to v1.23.0 (#5353)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-23 07:22:40 +01:00