Commit Graph

11600 Commits

Author SHA1 Message Date
Slavi Pantaleev 4d6b68a5da Rename matrix_mautrix_whatsapp_* variables to matrix_bridge_mautrix_whatsapp_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev 54020894b4 Rename matrix_mautrix_twitter_* variables to matrix_bridge_mautrix_twitter_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev e751673b0d Rename matrix_mautrix_telegram_* variables to matrix_bridge_mautrix_telegram_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev ace4edb01b Rename matrix_mautrix_slack_* variables to matrix_bridge_mautrix_slack_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev bb225546bd Rename matrix_mautrix_signal_* variables to matrix_bridge_mautrix_signal_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev ca301ffde0 Rename matrix_mautrix_meta_messenger_* variables to matrix_bridge_mautrix_meta_messenger_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev ba0fd18361 Rename matrix_mautrix_meta_instagram_* variables to matrix_bridge_mautrix_meta_instagram_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev 5d19e75236 Rename matrix_mautrix_gvoice_* variables to matrix_bridge_mautrix_gvoice_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:14 +03:00
Slavi Pantaleev b2fb403d31 Rename matrix_mautrix_googlechat_* variables to matrix_bridge_mautrix_googlechat_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 5ff45d47c3 Rename matrix_mautrix_gmessages_* variables to matrix_bridge_mautrix_gmessages_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 2241a2dedb Rename matrix_mautrix_discord_* variables to matrix_bridge_mautrix_discord_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 6768ada899 Rename matrix_mautrix_bluesky_* variables to matrix_bridge_mautrix_bluesky_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 7ccc9c515e Rename matrix_hookshot_* variables to matrix_bridge_hookshot_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 6e4992a2fe Rename matrix_heisenbridge_* variables to matrix_bridge_heisenbridge_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 62b5375815 Rename matrix_beeper_linkedin_* variables to matrix_bridge_beeper_linkedin_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev 98269653b2 Rename matrix_appservice_irc_* variables to matrix_bridge_appservice_irc_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev dc16f09e78 Rename matrix_appservice_discord_* variables to matrix_bridge_appservice_discord_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
Slavi Pantaleev d9bee18ddd Rename matrix_mautrix_wsproxy_* variables to matrix_bridge_mautrix_wsproxy_*
Part of adopting a uniform naming policy for bridge variables,
where the variable prefix matches the role directory name.

The companion appservice variables defined by this role are folded
under the role prefix as well: matrix_mautrix_androidsms_* becomes
matrix_bridge_mautrix_wsproxy_androidsms_* and matrix_mautrix_imessage_*
becomes matrix_bridge_mautrix_wsproxy_imessage_*.

matrix_mautrix_signal_wsproxy_syncproxy_connection_string becomes
matrix_bridge_mautrix_wsproxy_syncproxy_connection_string, aligning it
with the sibling matrix_bridge_mautrix_wsproxy_syncproxy_* variables.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 16:12:13 +03:00
renovate[bot] c12f5947c9 Update dependency prek to v0.4.10 2026-07-16 14:44:07 +03:00
Slavi Pantaleev 84a0053191 Upgrade ansible-role-backup_borg (v1.4.4-2.1.6-1 -> v1.4.4-2.1.6-2) and wire via _auto variables
The new role version splits backup_borg_location_exclude_patterns into
auto/custom components, following the existing split for
backup_borg_location_source_directories. The playbook now wires its
computed values into the _auto variables for both, so users can append
their own entries via the _custom variables instead of redefining the
whole lists and accidentally dropping playbook-provided values.
Previously, redefining backup_borg_location_exclude_patterns dropped
the postgres_data_path exclusion (making borg walk live Postgres data
and fail with warning exit codes), and the playbook's own
source_directories wiring made the role's _custom variable a no-op.

Related to #5092

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 14:36:06 +03:00
Slavi Pantaleev 73a52c8a24 Make postgres_max_connections scale with the Synapse worker count
With workers enabled, every Synapse process (the main one and each
worker) maintains its own database connection pool of up to
matrix_synapse_database_cp_max (default: 10) connections. The previous
fixed limit of 500 left little headroom on setups running many workers,
where exhausting it manifests as degraded performance and, reportedly,
E2EE misbehavior.

Size the limit as a 200-connection baseline (for everything else that
talks to Postgres) plus cp_max connections per Synapse process, never
going below the previous value of 500. The stock worker presets stay at
500; setups that raise worker counts (or cp_max) get a limit that grows
accordingly. The new matrix_synapse_workers_total_count variable
reflects what the matrix_synapse_workers_*_count variables ask for; it
does not reflect a manually populated
matrix_synapse_workers_enabled_list, and such setups should override
postgres_max_connections themselves.

Fixes #4442

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 14:20:12 +03:00
renovate[bot] 7a719aed5b Update dependency traefik to v3.7.7-1 2026-07-16 11:40:21 +03:00
Slavi Pantaleev a1cdd367f5 Upgrade ansible-role-livekit-server (v1.13.3-1 -> v1.13.3-2)
The new version supports defining a multiplexed UDP port pool (e.g.
'7882-7892') in livekit_server_config_rtc_udp_port. Previously, the
role's configuration template silently mangled such values into
udp_port: 0. It also gains early validation of the port value.

Related to #5344

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-16 07:42:48 +03:00
Kristoffer 88d13ff3d6 lint: align yamllint with ansible-lint
Signed-off-by: Kristoffer <kristoffer@weitby.eu>
2026-07-16 07:10:45 +03:00
Kristoffer 13f3d771c0 lint: quote RustPush file modes
Signed-off-by: Kristoffer <kristoffer@weitby.eu>
2026-07-16 07:10:45 +03:00
renovate[bot] dd6b4444de Update nginx Docker tag to v1.31.3 2026-07-16 07:10:06 +03:00
jasonlaguidice 0d5b0d77b8 Add forgotten trailing newline 2026-07-16 07:09:56 +03:00
jasonlaguidice 145403217c Update documentation and disable enhanced presence by default for rustpush & steam 2026-07-16 07:09:56 +03:00
renovate[bot] 0e7c8af2ac Update ghcr.io/jasonlaguidice/matrix-steam-bridge Docker tag to v1.3.0 2026-07-16 07:09:26 +03:00
renovate[bot] 39dd69d82b Update ghcr.io/jasonlaguidice/imessage Docker tag to v0.0.3 2026-07-16 07:08:46 +03:00
Aine 5da2d0e4a5 add Google Voice bridge, fixes #3574 (#5426) 2026-07-15 19:15:58 +01:00
renovate[bot] b2788f690a Update pre-commit hook codespell-project/codespell to v2.4.3 2026-07-15 15:32:59 +03:00
renovate[bot] 7897d63660 Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.7.15 2026-07-15 15:12:38 +03:00
Slavi Pantaleev 23783f87bc Clarify when disabling the federation port applies in the CDN guide
The CDN section of the federation documentation tells users to set
matrix_synapse_federation_port_enabled: false, which only works because
that recipe moves federation traffic to the client port. Followed
partially (keeping federation on the dedicated federation port behind a
fronting reverse proxy), the same line removes the federation route
entirely and breaks federation. Say so explicitly.

Fixes #4475

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 13:31:41 +03:00
Slavi Pantaleev eb0af09bf5 Remove the appservice-kakaotalk bridge
The bridge could only be installed by self-building its source code,
and its upstream repository (on src.miscworks.net) has become
unreachable (the Internet Archive last saw it alive in May 2026),
making installation impossible. The bridge was also based on the
long-unmaintained node-kakao library and carried a warning that using
it may get KakaoTalk accounts banned.

The playbook catches leftover matrix_appservice_kakaotalk_* variables
and points users to the manual uninstallation instructions.

Related to #5068

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 13:31:41 +03:00
renovate[bot] f93616c06e Update dependency prometheus_node_exporter to v1.12.1-0 2026-07-15 08:44:37 +03:00
Slavi Pantaleev 376786b997 Upgrade ansible-role-livekit-server (v1.13.3-0 -> v1.13.3-1)
The new version adds livekit_server_config_rtc_ips_includes and
livekit_server_config_rtc_ips_excludes variables, controlling LiveKit's
rtc.ips.includes/excludes CIDR filters for RTC IP addresses.

Related to #4958

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 07:31:52 +03:00
Slavi Pantaleev de1ba73f40 Add dedicated CAPTCHA variables to matrix-authentication-service
Matrix Authentication Service supports CAPTCHA protection (ReCaptcha
v2, Cloudflare Turnstile, hCaptcha) for certain operations like
self-service password registration, but configuring it required going
through matrix_authentication_service_configuration_extension_yaml.
Expose it via dedicated variables
(matrix_authentication_service_config_captcha_service, _site_key and
_secret_key), validate the service value and key presence, and document
the setup in the captcha documentation page, which so far only covered
Synapse and Dendrite.

Related to #5344

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 07:29:35 +03:00
Slavi Pantaleev d2f1fa74cc Document homeserver requirements for hookshot's end-to-bridge encryption
Enabling matrix_hookshot_encryption_enabled configures the bridge side
correctly (registration flags, Valkey cache), but hookshot's encryption
also needs the homeserver to support and enable MSC2409 and MSC3202,
which are typically experimental features disabled by default. Nothing
documented that, so the resulting setup silently did not work.

Reference the MSCs in the variable's comment, and show the exact Synapse
settings in the hookshot documentation page. The playbook deliberately
does not auto-enable them: they are experimental homeserver-wide
features, and flipping them from a bridge toggle would be surprising.

Fixes #3861

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-15 06:01:27 +03:00
Slavi Pantaleev 62792b3670 Fix double-slash in Jitsi's Etherpad integration URLs
etherpad_base_url always ends with a trailing slash, and the playbook
passed it verbatim to jitsi_etherpad_base, which the Jitsi role appends
path segments to (e.g. /p/). The generated Jitsi configuration therefore
contained URLs like https://etherpad.example.com//p/, which can 404
depending on the web server. Strip trailing slashes when wiring.

Fixes #3471

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 15:16:31 +03:00
Slavi Pantaleev a039cc5982 Upgrade ansible-role-grafana (v13.0.2-0 -> v13.0.2-1) and use grafana_dashboard_download_urls_auto
The new role release splits grafana_dashboard_download_urls into
default/auto/custom components. Wire the playbook's automatic dashboard
list via the auto component, so users can add their own dashboards
through grafana_dashboard_download_urls_custom without clobbering it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:59:18 +03:00
Slavi Pantaleev 5a9e34c563 Document that Synapse cache autotuning limits apply per process
The autotuning defaults are derived from total system RAM, but every
Synapse process (the main one and each worker) applies the configured
limits independently, so worker setups multiply the theoretical
aggregate cache memory usage.

Fixes #3336

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:56:48 +03:00
Slavi Pantaleev 534631c1e7 Document Synapse database restore pitfalls per the official backup guide
Add the two remaining hints from the official Synapse backup guide:

- never import a dump into a database that already has tables present
  (at best it errors, at worst it causes subtle inconsistencies)
- when restoring a backup older than the server's current state,
  truncate e2e_one_time_keys_json before starting Synapse, so used
  one-time keys are not re-issued (which causes decryption errors);
  our pg_dumpall-based backup commands include that table

Fixes #4004

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 14:34:45 +03:00
renovate[bot] 635bb61424 Update dependency postgres to v18.4-2 2026-07-14 14:32:12 +03:00
Slavi Pantaleev c7819f576a Remove the custom Element Web welcome page
Element Web redesigned its welcome page into a built-in component
(element-hq/element-web#33211, first released in spring 2026) and no
longer falls back to loading welcome.html. The custom page the playbook
installed had therefore silently stopped having any effect, and it was a
fork of an upstream file that upstream has deleted (its button icon
assets are already missing from current Element Web builds).

Remove the welcome.html shipping and the variables that only applied to
it (matrix_client_element_welcome_headline, _welcome_text,
_welcome_logo_link, _page_template_welcome_path), rejecting them in
validate_config.yml with pointers to the alternatives. Logo and
background customization keep working through Element Web's branding
options, which the new welcome page still honors. A fully custom page
can be self-hosted and wired via embedded_pages.welcome_url.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-14 07:49:39 +03:00
Aine 435aecc1a8 fix prometheus wiring 2026-07-13 22:46:37 +01:00
Slavi Pantaleev a03faef70f Stop excluding Synapse's local_thumbnails from BorgBackup
Synapse only generates thumbnails of local media at upload time (unless
dynamic_thumbnails is enabled, which the playbook does not do) and no
tooling exists to regenerate them, so restoring a backup left all
previously uploaded local images without thumbnails permanently. The
official Synapse backup guide recommends backing this directory up.

Related to #4004.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 21:18:43 +03:00
Slavi Pantaleev 94d8e28306 Support readonly datastores for matrix-media-repo
The configuration template only rendered a datastore when its for_kinds
list was non-empty, even though the inline documentation (matching
upstream's) describes forKinds: [] as the way to make a datastore
readonly. That made the documented migration scenario impossible: moving
media between the file and s3 datastores while keeping the old one
readable.

Introduce matrix_media_repo_datastore_file_enabled and
matrix_media_repo_datastore_s3_enabled, which default to the previous
kinds-based behavior. A readonly datastore is now expressed by enabling
the datastore explicitly while assigning it no kinds.

Fixes #4303

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 21:17:09 +03:00
Slavi Pantaleev 6b4b7647e4 Fix synapse-usage-exporter self-build failing on git ownership checks
synapse-usage-exporter is self-built by default (no upstream image is
published), so every user enabling it runs the git clone/update task. A
docker-src checkout whose files are owned by a different user (e.g. left
behind by an earlier clone) made that task fail: either with a
permission error, or with git's dubious-ownership protection, which
ignores the repository's own configuration and surfaces as a confusing
"'origin' does not appear to be a git repository" error.

Ensure the checkout's ownership recursively before updating it, and mark
the path as a safe.directory for the git invocation itself (via
GIT_CONFIG_* environment variables), so the ownership check cannot
misfire regardless of which user git effectively runs as.

Fixes #5065

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 19:25:34 +03:00
Slavi Pantaleev 90d486c4f6 Correct CORS guidance for 302-redirect based well-known setup
The docs claimed that reverse-proxying "or simply a 302 redirect" needs
no CORS headers. That is only true for reverse-proxying: browsers apply
CORS checks to every response in a redirect chain, so a redirect
response itself must also carry Access-Control-Allow-Origin, otherwise
web clients fail even though the final destination sets the header.

Fixes #4650

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:35:07 +03:00