Commit Graph

11551 Commits

Author SHA1 Message Date
Slavi Pantaleev 90d486c4f6 Correct CORS guidance for 302-redirect based well-known setup
The docs claimed that reverse-proxying "or simply a 302 redirect" needs
no CORS headers. That is only true for reverse-proxying: browsers apply
CORS checks to every response in a redirect chain, so a redirect
response itself must also carry Access-Control-Allow-Origin, otherwise
web clients fail even though the final destination sets the header.

Fixes #4650

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:35:07 +03:00
Slavi Pantaleev 2d436491c6 Escape mautrix-meta username prefix in registration regexes
The user-namespace regexes in the mautrix-meta-messenger and
mautrix-meta-instagram registration templates interpolated
the bridge username prefix without regex-escaping it, unlike the
neighboring homeserver domain and appservice username values. The
default prefixes are regex-safe, but a customized prefix containing
regex metacharacters would produce a wrong (too broad or invalid)
appservice user namespace.

Related to the registration regex discussion in #5096.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:34:31 +03:00
Slavi Pantaleev 8b9fe4ce37 Make Element welcome page text readable on the dark theme
The playbook-shipped welcome.html hardcoded #2e2f32 for the headline and
welcome text, which is nearly invisible on the dark background Element
renders when the dark theme is active. Element Web's default
use_system_theme behavior keys the theme off the system color scheme, so
switch the text to Element's dark-theme text color (#ebeef2) under a
prefers-color-scheme: dark media query.

Fixes #4838

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:33:55 +03:00
Slavi Pantaleev 639996d3a0 Upgrade ansible-role-backup_borg (v1.4.4-2.1.4-1 -> v1.4.4-2.1.6-1)
Pulls in borgmatic 2.1.6, fixing the 2.1.4 JSON parsing regression
(borgmatic-collective/borgmatic#1294) where warnings on stderr, such as
OpenSSH post-quantum key exchange notices, broke parsing of borg's JSON
output and failed the backup run.

Fixes #5188

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 16:33:03 +03:00
Slavi Pantaleev f8539f4cbf Fix Traefik router name in SRV server delegation docs
The wildcard certificate examples attached tls.domains labels to a
router named matrix-synapse-federation-api, but the Synapse role
actually names it matrix-synapse-public-federation-api (see
templates/synapse/labels.j2), so the documented labels matched nothing
and the certificate configuration silently did not apply.

Fixes #3129

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:30:58 +03:00
Slavi Pantaleev a4915c0b9e Remove never-implemented appservice-discord self-build variable
matrix_appservice_discord_container_image_self_build only switched the
image registry prefix to localhost/, but the role never had any build
tasks, so enabling it always ended in an image pull failure. Remove the
variable and reject it in validate_config.yml with a hint that the
prebuilt image is amd64-only and that mautrix-discord is the better
option on other architectures.

Fixes #2379

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:03:51 +03:00
Slavi Pantaleev deb19c46a8 Document rsync as a server-side prerequisite for media store import
The import-synapse-media-store task synchronizes the media store with
ansible.posix.synchronize delegated to the server itself, which requires
the rsync binary on the server. Nothing in the playbook installs it, so
the import failed on minimal systems with "Failed to find required
executable rsync". Document the prerequisite.

Fixes #2551

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:03:05 +03:00
Slavi Pantaleev 2fe710bdb4 Document Caddy directive-order pitfall for well-known reverse-proxying
Caddy evaluates directives according to its own fixed directive order,
not their order in the Caddyfile. redir runs before reverse_proxy, so a
redirect elsewhere in the same site block silently shadows the
/.well-known/matrix reverse-proxying. Add a note and a handle-block
example that enforces the intended priority.

Fixes #1080

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 15:02:20 +03:00
Slavi Pantaleev ee38b3aac2 Grant pg_monitor to the prometheus-postgres-exporter database user
The exporter's wal collector (enabled by default) calls pg_ls_waldir(),
which Postgres restricts to superusers and members of the pg_monitor
role. The exporter user is created as a plain managed-database user, so
scraping logged "permission denied for function pg_ls_waldir" on every
run.

Grant pg_monitor via the managed database's additional_sql_queries,
which the Postgres role applies both on initial creation and on
subsequent runs, covering existing installations too.

Fixes #3039

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 13:21:19 +03:00
Slavi Pantaleev 506d4ab4c9 Upgrade ansible-role-postgres (v18.4-0 -> v18.4-1)
Pulls in the pgloader connection string handling fix, which keeps the
Postgres password out of the command line and Ansible error output.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi Pantaleev 44cfd16036 Add index label to Synapse worker Prometheus targets
The upstream Synapse Grafana dashboard uses `{{job}}-{{index}}` in its
legends to tell workers apart, but the worker scrape configs only set
instance, worker_id, job and app labels. Without an index label, the
dashboard legends collapsed and workers could not be distinguished.

Derive the index label from the worker id (its per-type index is the
first number in the id, e.g. federation-sender-1, stream-writer-2-events),
matching the index label already set on the main process target.

Fixes #2158
Fixes #2159

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
Slavi Pantaleev b32272ef40 Add CORS header to Element's map_style.json for Element Desktop
Element Desktop (Electron) loads the location-sharing map style from a
`vector://vector` origin, so fetching map_style.json from the Element
domain is a cross-origin request. Without an Access-Control-Allow-Origin
header, the request is blocked and maps fail to load with "This homeserver
is not configured correctly to display maps".

Add a dedicated Traefik router for map_style.json that attaches an
Access-Control-Allow-Origin header (configurable via
matrix_client_element_location_sharing_map_style_access_control_allow_origin,
defaulting to `*`). It is only defined when location sharing is enabled.

Fixes #2291

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 09:01:00 +03:00
renovate[bot] d0f877fb86 Update dependency sable to v1.19.4-0 2026-07-13 08:47:12 +03:00
Suguru Hirahara bb1cbdb111 Add other unimportant dependencies to matchFileNames on renovate.json
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-13 01:39:13 -04:00
renovate[bot] f8ea906c19 Update forgejo.ellis.link/continuwuation/continuwuity Docker tag to v26.6.2 2026-07-13 07:16:44 +03:00
Suguru Hirahara 7f4691aabb Add flake.lock to be the list of items for automerge
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-13 07:16:00 +03:00
github-actions[bot] 85484aed85 Automatic translations update 2026-07-12 18:51:50 +03:00
Slavi Pantaleev fa8c764708 Fix up devcontainer config (REUSE, strict JSON, image bump) and mention it in docs
- add SPDX licensing information for REUSE compliance
- drop the JSONC comment from devcontainer.json, keeping it strict JSON
  (as required by the check-json pre-commit hook)
- bump the base image to the current ghcr.io/devture/ansible release
- mention the dev container in docs/ansible.md

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 18:36:27 +03:00
Slavi Pantaleev fba605de34 Merge pull request #4365 from jonaharagon/devcontainer
Add devcontainer config
2026-07-12 18:34:16 +03:00
Slavi Pantaleev 0b966a4500 Update agru version label to match the locked v0.2.1 revision
flake.lock already pins agru at the v0.2.1 commit (via #5415);
this label only names the built derivation.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 18:24:05 +03:00
renovate[bot] 93caf43948 Lock file maintenance (#5415)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-07-12 18:23:44 +03:00
Slavi Pantaleev aa97075f11 Enable Renovate nix support with flake.lock maintenance
This lets Renovate periodically refresh flake.lock, keeping the
nixpkgs and agru inputs of the development shell up to date.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 17:04:48 +03:00
Slavi Pantaleev 8368b21e6d Merge pull request #4979 from jack-wines/main
Add agru to flake.nix
2026-07-12 17:03:06 +03:00
Slavi Pantaleev e6a8de7cec Document pulling the sudo password from pass via the passwordstore lookup
Based on https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4219 by @mcnesium

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:52:18 +03:00
Slavi Pantaleev 7d2a2c40c9 Add matrix_matrixto_container_labels_watchtower_skip_enabled
Attaches a com.centurylinklabs.watchtower.enable=false label to the
matrix-matrixto container by default, telling Watchtower (if in use)
to skip it. The image is built locally from source, so Watchtower
cannot update it and merely produces 'digest retrieval failed' errors
on every run.

A dedicated variable is used (instead of pre-filling
matrix_matrixto_container_labels_additional_labels) so that people
overriding the additional-labels variable do not lose the label.

Fixes #4820

Based on the report and initial patch in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4821 by @der-domi

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:37:12 +03:00
Slavi Pantaleev 7ae2f46bf7 Add Commet to the client list in configuring-playbook.md
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:35:08 +03:00
Slavi Pantaleev 7833006b07 Merge pull request #5005 from TheDataLeek/tdl/commet-docs
Add Commet client documentation
2026-07-12 16:33:27 +03:00
Slavi Pantaleev eb6328e5e9 Fix role references in jitsi_jvb.yml
The galaxy roles were renamed to shorter install paths back in
c0595d6e4 (2023-11-19), but jitsi_jvb.yml was not updated, so running
it failed with 'role not found' ever since.

Reported in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5269 by @mcepl

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:23:05 +03:00
Slavi Pantaleev 80c2624454 Add add-inventory-host command for bootstrapping the inventory
Running `just add-inventory-host example.com 1.2.3.4` (or
`make add-inventory-host domain=example.com ip=1.2.3.4`) adds a new
host to the inventory, creating inventory/hosts and
inventory/host_vars/matrix.DOMAIN/vars.yml from the example files,
with strong secrets generated automatically.

Existing configuration is never overwritten. The command refuses to
run if the host is already in the inventory, so it can also be used
for adding more hosts later.

Based on the idea proposed in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4682 by @Ser5

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 16:08:09 +03:00
renovate[bot] 0f7f60372f Update matrixdotorg/sygnal Docker tag to v0.17.0 (#4794)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-07-12 15:18:56 +03:00
Slavi Pantaleev fc473797cd Disable broken container healthcheck for matrix-sygnal
The sygnal container images (since v0.16.0) hardcode a HEALTHCHECK which
relies on curl, but the image does not include curl, so the healthcheck
can never pass. See https://github.com/element-hq/sygnal/issues/326

This unblocks upgrading sygnal past v0.15.1.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 15:17:48 +03:00
github-actions[bot] 8250b6d088 Automatic translations update 2026-07-12 14:58:34 +03:00
Slavi Pantaleev b57ac50c81 Merge pull request #5288 from luixxiul/remove-matrix-bot-matrix-registration-bot
Remove matrix-registration-bot
2026-07-12 14:49:12 +03:00
Suguru Hirahara e6e0df3d32 Update faq.md: add a section about removed roles
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-12 14:44:27 +03:00
Slavi Pantaleev 19a775ef7e Upgrade Continuwuity (v0.5.10 -> v26.6.1) and re-sync its config template
This is a major upgrade which performs a one-way database migration
and removes LDAP support upstream.

The continuwuity.toml.j2 template is re-synced with the v26.6.1 example
config. Notably, registration_token is now only rendered when non-empty,
because v26+ refuses to start when it is set to an empty string.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-12 14:43:17 +03:00
renovate[bot] 1d14b599b2 Update dependency prometheus to v3.13.1-0 2026-07-11 21:35:19 +03:00
renovate[bot] 79d3d3c9c6 Update dependency prek to v0.4.9 2026-07-11 21:33:45 +03:00
renovate[bot] 2519a81597 Update dependency prometheus_node_exporter to v1.12.0-0 2026-07-11 18:50:15 +03:00
Suguru Hirahara 931aa6cf57 Update CHANGELOG.md
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-11 01:08:04 -04:00
renovate[bot] c24bcc8158 Update ghcr.io/matrix-construct/tuwunel Docker tag to v1.8.1 2026-07-11 06:06:34 +03:00
renovate[bot] 25cf21da42 Update dependency sable to v1.19.3-0 2026-07-11 06:06:15 +03:00
renovate[bot] 68fe9c176f Update dependency ntfy to v2.26.0-0 2026-07-10 14:03:27 +03:00
Suguru Hirahara 2c57bd3b90 Update validate_config.yml
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:06:27 -04:00
Suguru Hirahara d8742b0624 Update docs
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:05:47 -04:00
Suguru Hirahara e280b5819f Remove mentions to matrix-bot-matrix-registration-bot
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:05:32 -04:00
Suguru Hirahara 8f3e76597f Remove roles/custom/matrix-bot-matrix-registration-bot
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-07-10 02:05:18 -04:00
renovate[bot] c4012389d4 Update ghcr.io/element-hq/matrix-authentication-service Docker tag to v1.20.0 2026-07-09 20:38:01 +03:00
renovate[bot] 94bf7a90ab Update dependency sable to v1.19.1-0 2026-07-09 14:05:41 +03:00
renovate[bot] a3123b5456 Update dependency traefik to v3.7.7-0 2026-07-09 10:21:26 +03:00
renovate[bot] 22d6fd0be2 Update docker.io/metio/matrix-alertmanager-receiver Docker tag to v2026.7.8 2026-07-08 14:00:43 +03:00