Update dependency sable to v1.15.3-0

Update ghcr.io/etkecc/baibot Docker tag to v1.19.1
Automatic translations update
2026-05-11 06:30:02 +03:00 · 2026-05-10 16:32:08 +03:00 · 2026-05-09 20:33:10 +03:00 · 2026-05-09 10:18:01 +03:00 · 2026-05-09 09:27:07 +03:00 · 2026-05-08 22:02:38 +03:00
288 changed files with 8720 additions and 5815 deletions
@@ -32,7 +32,7 @@ jobs:

      # Setting up recommended prerequisites
      # See: i18n/README.md
-      - uses: astral-sh/setup-uv@v8
+      - uses: astral-sh/setup-uv@v8.1.0
      - uses: extractions/setup-just@v4

      # TODO: optimize when we start publishing translations and integrate a Weblate instance
@@ -1,3 +1,41 @@
+# 2026-05-07
+
+## Tuwunel support
+
+Thanks to [Jason Volk](https://github.com/jevolk), the playbook now supports the [Tuwunel](./docs/configuring-playbook-tuwunel.md) homeserver as an optional alternative to Synapse.
+
+Tuwunel is a fork of [conduwuit](./docs/configuring-playbook-conduwuit.md) written in Rust. The former conduwuit maintainer [endorses Tuwunel as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185). Like [Continuwuity](./docs/configuring-playbook-continuwuity.md), Tuwunel continues development on top of conduwuit's database format.
+
+Existing installations do **not** need to be updated. **Synapse is still the default homeserver implementation** installed by the playbook.
+
+People that used to run conduwuit may wish to [migrate from conduwuit to Tuwunel](./docs/configuring-playbook-tuwunel.md#migrating-from-conduwuit) via the new `tuwunel-migrate-from-conduwuit` tag, which performs an in-place binary-swap migration that reads the conduwuit database directly.
+
+**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse/Conduit/Dendrite/Continuwuity to Tuwunel) without data loss. The exception is conduwuit, due to the shared database format.
+
+
+# 2026-04-24
+
+## Support for bridging to Meshtastic via meshtastic-matrix-relay
+
+Thanks to [luschmar](https://github.com/luschmar), the playbook now supports bridging to [Meshtastic](https://meshtastic.org/) mesh networks via [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (mmrelay).
+
+To learn more, see our [Setting up a Matrix <-> Meshtastic bridge](./docs/configuring-playbook-bridge-meshtastic-relay.md) documentation page.
+
+## (BC Break) mautrix-telegram has been rewritten in Go (bridgev2)
+
+The [mautrix-telegram](./docs/configuring-playbook-bridge-mautrix-telegram.md) bridge has been [rewritten in Go](https://mau.fi/blog/2026-04-mautrix-release/) on top of the [bridgev2](https://docs.mau.fi/bridges/go/) architecture. See the [upstream v26.04 release notes](https://github.com/mautrix/telegram/releases/tag/v0.2604.0) for what changed in the bridge itself (shared-portal behavior, management-room state, new features, etc.).
+
+**Most users won't have to do anything.** If you use the playbook's integrated Postgres (the default) and haven't customized telegram-bridge variables beyond `matrix_mautrix_telegram_api_id` and `matrix_mautrix_telegram_api_hash`, just re-run the playbook; the bridge will migrate itself on first start. Taking a backup beforehand is still a good idea.
+
+⚠️ **SQLite users: do not upgrade yet.** Upstream v0.2604.0 has a [known bug in the legacy SQLite migration](https://github.com/mautrix/telegram/releases/tag/v0.2604.0) that can corrupt your data. The playbook detects this case and will refuse to proceed. Either switch to Postgres first (set `matrix_mautrix_telegram_database_engine: postgres`; the playbook handles the pgloader migration), or wait for the next upstream release.
+
+Playbook-specific things to know. The playbook will fail loudly if you're affected:
+
+- Many `matrix_mautrix_telegram_*` variables have been **removed** (web-login endpoint, lottieconverter, username/alias/displayname templates, filter-mode, bot-token relaybot, Shared-Secret-Auth map). The deprecation check will tell you exactly what to rename or drop when you run the playbook.
+- **Old-style relaybot users** (`matrix_mautrix_telegram_bot_token`): switch to the common [mautrix bridge relay mode](./docs/configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional) via `matrix_mautrix_telegram_bridge_relay_enabled: true`.
+- **Shared-Secret-Auth double-puppeting users**: switch to [Appservice Double Puppet](./docs/configuring-playbook-appservice-double-puppet.md); the playbook wires it up automatically.
+- **Custom `matrix_mautrix_telegram_bridge_permissions`**: map `relaybot` to `relay`, `puppeting` to `user`, `full` to `user`. Validated at playbook time.
+
 # 2026-04-03

 ## (BC Break) Synapse Admin (fork by etke.cc) is now Ketesa
@@ -53,6 +53,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
 | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
 | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
 | [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. | [Link](docs/configuring-playbook-continuwuity.md) |
+| [Tuwunel](https://matrix-construct.github.io/tuwunel/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit. | [Link](docs/configuring-playbook-tuwunel.md) |
 | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |

 ### Clients
@@ -132,6 +133,7 @@ Bridges can be used to connect your Matrix installation with third-party communi
 | [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
 | [matrix-wechat](https://github.com/duo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) | [Link](docs/configuring-playbook-bridge-wechat.md) |
 | [Heisenbridge](https://github.com/hifi/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) |
+| [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) | ❌ | Bridge to [Meshtastic](https://meshtastic.org/) mesh networks | [Link](docs/configuring-playbook-bridge-meshtastic-relay.md) |
 | [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
 | [mx-puppet-steam](https://codeberg.org/icewind/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |
 | [Postmoogle](https://github.com/etkecc/postmoogle) | ❌ | Email to Matrix bridge | [Link](docs/configuring-playbook-bridge-postmoogle.md) |
@@ -1,4 +1,25 @@
 ---
+# This file is not used by the playbook's standard CLI installation flow.
+# Roles are pulled via `make roles` / `just roles`, which call
+# `ansible-galaxy install -r requirements.yml -p roles/galaxy/`.
+# Collections are not installed by that command, and the playbook relies
+# on whatever `community.*` collections ship with the user's `ansible`
+# package (which has been recent enough for years).
+#
+# This file exists for AWX / Ansible Automation Platform users, which
+# auto-detect `collections/requirements.yml` during project sync and
+# install the listed collections. See:
+# https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/87a2240dc
+#
+# CLI users do not need to install anything from this file. If you are
+# using AWX and a collection version below the floor declared here is
+# present, AWX will upgrade it.
+
 collections:
  - name: community.general
  - name: community.docker
+    # `community.docker.docker_image_pull` and `community.docker.docker_image_build`
+    # are used by some roles (e.g. matrix-bot-draupnir,
+    # matrix-appservice-draupnir-for-all) and are first available in
+    # community.docker 3.6.0 (Jan 2024 / Ansible 9.2.0).
+    version: ">=3.6.0"
@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 SPDX-FileCopyrightText: 2024 MDAD project contributors

@@ -13,34 +14,54 @@ Appservice mode can be used together with the regular [Draupnir bot](configuring

 ## Draupnir Appservice mode compared to Draupnir bot mode

-The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode except in the case of avatar customisation as described later on in this document.
+The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode.

-Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All (Even though the commands do show up in help).
+Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All.

 Draupnir for all in the playbook is rate-limit-exempt automatically as its appservice configuration file does not specify any rate limits.

-Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as D4A even on the branch with the Avatar command (To be Upstreamed to Mainline Draupnir) that command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this is a quick operation where you login to Draupnir with a normal client and set Avatar and Display name normally.
+Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as the avatar command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this can be done while logged in to the Draupnir account with a normal client and set Avatar and Display name normally.

-Draupnir for all does not support external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account.
+Draupnir for all only has limited support for external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account.

 ## Prerequisites

-### Create a main management room
+### Prerequisites for Zero Touch Deployment (recommended)

-The playbook does not create a management room for your Main Draupnir. You **need to create the room manually** before setting up the bot.
+As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir Appservice Mode (Draupnir for all) requires you to supply the following:
+
+- MXID of the first person who gets invited to the admin room that the bot creates for you.
+
+That is all. The appservice manages everything on its own after you provide it with an MXID to invite.
+
+If proceeding with Zero Touch Deployment, skip ahead to [Adjusting the playbook configuration](#adjusting-the-playbook-configuration).
+
+### Create an admin room (optional)
+
+The playbook does not create an admin room for your Draupnir, but the appservice itself can do this for you. Alternatively, you **can create the room manually** before setting up the bot.

 Note that the room must be unencrypted.

-The management room has to be given an alias, and your bot has to be invited to the room.
+The admin room has to be given an alias, and your bot has to be invited to the room.

-This management room is used to control who has access to your D4A deployment. The room stores this data inside of the control room state so your bot must have sufficient powerlevel to send custom state events. This is default 50 or moderator as Element clients call this powerlevel.
+This admin room is used to control who has access to your D4A deployment. The room stores this data in the control room state, so your bot must have sufficient power level to send custom state events. This is `50` by default (moderator, as Element clients call this power level).

 > [!WARNING]
 > Anyone in this room can control the bot so it is important that you only invite trusted users to this room.

 ## Adjusting the playbook configuration

-Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE`.
+When using Zero Touch Deployment, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the admin room first.
+
+```yaml
+matrix_appservice_draupnir_for_all_enabled: true
+
+matrix_appservice_draupnir_for_all_zero_touch_deploy: true
+
+matrix_appservice_draupnir_for_all_config_initialManager: "INITIAL_MANAGER_MXID_HERE"
+```
+
+If opting out of Zero Touch Deployment, use the following configuration block instead. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE` with the alias of the admin room you have created earlier.

 ```yaml
 matrix_appservice_draupnir_for_all_enabled: true
@@ -48,6 +69,14 @@ matrix_appservice_draupnir_for_all_enabled: true
 matrix_appservice_draupnir_for_all_config_adminRoom: "MANAGEMENT_ROOM_ALIAS_HERE"
 ```

+### Running both bot mode and appservice mode
+
+When running both [bot mode](./configuring-playbook-bot-draupnir.md) and appservice mode, the playbook will force-restart
+the bot if running a non-release tag like `latest` or `main` or a development build.
+This is due to the conditional restart logic not being able to reliably tell when an update happened.
+
+Conditional restarts work correctly for all tags when running only one of these two operating modes.
+
 ### Extending the configuration

 There are some additional things you may wish to configure about the component.
@@ -95,20 +124,26 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start

 ## Usage

-If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it.
+If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com`, you have successfully installed Draupnir for All and can now start using it.

-The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode.
+If using Zero Touch Deployment, the flow is reversed and the success signal is the initial manager account being invited to the admin room.
+
+Draupnir for all installation via this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode, except that protections requiring homeserver admin access are not available, and the config file is shared between all bots so legacy protections like wordlist share a single global config.

 ### Granting Users the ability to use D4A

 Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended.

-The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))
+The bot requires a power level of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297).) This issue is largely mitigated by the Zero Touch Deployment workflows introduced in Draupnir 3.1.0.

-To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.
+To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to provision a bot. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.

 ### How to provision a D4A once you are allowed to

-To provision a D4A, you need to start a chat with `@draupnir-main:example.com`. The bot will reject this invite and you will shortly get invited to the Draupnir control room for your newly provisioned Draupnir. From here its just a normal Draupnir experience.
+Once someone is allowed to provision a bot, simply provision them one with `!admin provision MXID`.

-Congratulations if you made it all the way here because you now have a fully working Draupnir for all deployment.
+Self-service provisioning is disabled as a security measure because it is currently bugged. Force-provisioning (with `!admin provision`) bypasses this disabled status.
+
+Note that you should always make sure there is an allow entry matching whoever is provisioned, because once self-service is fixed, the bot of anyone who is not allowed to provision a bot will refuse to start.
+
+Congratulations if you made it all the way here, because you now have a fully working Draupnir for all deployment.
@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
 SPDX-FileCopyrightText: 2023 Kim Brose
 SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
@@ -19,7 +20,17 @@ If your migrating from [Mjolnir](configuring-playbook-bot-mjolnir.md), skip to [

 ## Prerequisites

-### Create a management room
+### Prerequisites for Zero Touch Deployment (recommended)
+
+As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir bot mode requires you to supply the following:
+
+- MXID of the first person who gets invited to the management room that the bot creates for you.
+- A permanent access token for authentication. Instructions for obtaining one can be found at [obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl).
+- A user account for Draupnir.
+
+Zero Touch Deployment is the officially preferred installation method for new deployments of Draupnir as of 3.1.0.
+
+### Create a management room (optional)

 Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room.

@@ -28,6 +39,8 @@ Using your own account, create a new invite only room that you will use to manag

 It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support)).

+E2EE support for the management room is mutually exclusive with Zero Touch Deployment of Draupnir.
+
 Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking "Advanced". The room ID will look something like `!qporfwt:example.com`.

 ## End-to-End Encryption support
@@ -63,7 +76,25 @@ matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"

 ## Adjusting the playbook configuration

-To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the one of the room which you have created earlier.
+### Configuration for Zero Touch Deployment (recommended)
+
+To enable the bot using Zero Touch Deployment, add the following configuration to your `vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the management room first, and `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained.
+
+```yaml
+# Enable Draupnir
+matrix_bot_draupnir_enabled: true
+
+matrix_bot_draupnir_zero_touch_deploy: true
+
+matrix_bot_draupnir_config_initialManager: "INITIAL_MANAGER_MXID_HERE"
+
+# Access token which the bot will use for logging in.
+matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"
+```
+
+### Configuration without Zero Touch Deployment
+
+If you'd prefer to have the bot manage its own login at the cost of having to create the management room manually, you can use native login with the configuration block below. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the ID of the management room you have created earlier.

 ```yaml
 # Enable Draupnir
@@ -82,7 +113,15 @@ matrix_bot_draupnir_login_native: true
 matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
 ```

-### Create and invite the bot to the management room
+### Running both bot mode and appservice mode
+
+When running both bot mode and [appservice mode (Draupnir for all)](./configuring-playbook-appservice-draupnir-for-all.md), the
+playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build.
+This is due to the conditional restart logic not being able to reliably tell when an update happened.
+
+Conditional restarts work correctly for all tags when running only one of these two operating modes.
+
+### Create and invite the bot to the management room (only when using native login without Zero Touch Deployment)

 Before proceeding to the next step, run the playbook with the following command to create the bot user.

@@ -94,6 +133,12 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use

 Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier.

+### Creating a user account for the bot (when using Zero Touch Deployment)
+
+Since Zero Touch Deployment is not validated with native login, you will need to create the user account manually.
+
+Refer to [registering users](registering-users.md) for documentation on how to configure the user account.
+
 ### Make sure the account is free from rate limiting (optional, recommended)

 If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**
@@ -106,7 +151,7 @@ The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a

 #### Add the configuration

-To expose the APIs publicly, add the following configuration to your `vars.yml` file:
+This is automatically done if Ketesa is enabled. Otherwise, to expose the APIs publicly, add the following configuration to your `vars.yml` file:

 ```yaml
 matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true
@@ -132,6 +177,7 @@ curl --header "Authorization: Bearer ADMIN_ACCESS_TOKEN_HERE" -X POST https://ma
 ```

 **Notes**:
+
 - This does not work on outdated Windows 10 as curl is not available there.
 - Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally.

@@ -157,13 +203,14 @@ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: true
 matrix_bot_draupnir_admin_api_enabled: true
 ```

-These protections need to be manually activated and consulting the [enabling protections](#enabling-built-in-protections) guide can be helpful or consulting upstream documentation.
+These protections need to be manually activated. Consulting the [enabling protections](#enabling-built-in-protections) guide and/or upstream documentation can be helpful.

-<!--
-NOTE: this is unsupported by the playbook due to the admin API being inaccessible from containers currently.
+The other method polls a Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin. To enable it, set `pollReports: true` in your `vars.yml` file as below:

-The other method polls an Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin (see [above](#register-the-bot-account)). To enable it, set `pollReports: true` on `vars.yml` file as below.
-->
+```yaml
+matrix_bot_draupnir_configuration_extension_yaml: |
+  pollReports: true
+```

 ### Extending the configuration

@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
+SPDX-FileCopyrightText: 2018 - 2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2018 Hugues Morisset
 SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -17,7 +17,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 The playbook can install and configure [mautrix-telegram](https://github.com/mautrix/telegram) for you.

-See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/index.html) to learn what it does and why it might be useful to you.
+See the project's [documentation](https://docs.mau.fi/bridges/go/telegram/index.html) to learn what it does and why it might be useful to you.

 ## Prerequisites

@@ -25,18 +25,12 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/in

 To use the bridge, you'd need to obtain an API key from [https://my.telegram.org/apps](https://my.telegram.org/apps).

-### Enable Appservice Double Puppet or Shared Secret Auth (optional)
+### Enable Appservice Double Puppet (optional)

-If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) or [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
+If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.

 See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting.

-**Notes**:
-
- Double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future.
-
- If you decided to enable Double Puppeting manually, send `login-matrix` to the bot in order to receive an instruction about how to send an access token to it.
-
 ## Adjusting the playbook configuration

 To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `YOUR_TELEGRAM_APP_ID` and `YOUR_TELEGRAM_API_HASH`.
@@ -49,37 +43,16 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH

 ### Relaying

-### Enable relay-bot (optional)
-
-If you want to use the relay-bot feature ([relay bot documentation](https://docs.mau.fi/bridges/python/telegram/relay-bot.html)), which allows anonymous user to chat with telegram users, add the following configuration to your `vars.yml` file:
-
-```yaml
-matrix_mautrix_telegram_bot_token: YOUR_TELEGRAM_BOT_TOKEN
-matrix_mautrix_telegram_configuration_extension_yaml: |
-  bridge:
-    permissions:
-      '*': relaybot
-```
+This bridge supports the common [mautrix bridge relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional). Once enabled, any authenticated user can be turned into a relaybot for a chat by sending `!tg set-relay` in that chat.

 ### Configure a user as an administrator of the bridge (optional)

 You might also want to give permissions to a user to administrate the bot. See [this section](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional) on the common guide for details about it.

-More details about permissions in this example: https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml#L410
-
-### Use the bridge for direct chats only (optional)
-
-If you want to exclude all groups from syncing and use the Telegram-Bridge only for direct chats, add the following configuration to your `vars.yml` file:
-
-```yaml
-matrix_mautrix_telegram_filter_mode: whitelist
-```
-
 ### Extending the configuration

 There are some additional things you may wish to configure about the bridge.

-<!-- NOTE: common relay mode is not supported for this bridge -->
 See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.

 ## Installing
@@ -99,9 +72,9 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju

 To use the bridge, you need to start a chat with `@telegrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).

-You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/telegram/authentication.html).
+You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/telegram/authentication.html).

-After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them. Note that the bridge won't automatically create rooms for private chats.
+After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them.

 ## Troubleshooting

@@ -109,8 +82,9 @@ As with all other services, you can find the logs in [systemd-journald](https://

 ### Increase logging verbosity

-The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
+The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:

 ```yaml
-matrix_mautrix_telegram_logging_level: DEBUG
+# Valid values: fatal, error, warn, info, debug, trace
+matrix_mautrix_telegram_logging_level: debug
 ```
@@ -0,0 +1,95 @@
+<!--
+SPDX-FileCopyrightText: 2025 - 2026 luschmar
+SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Setting up a Matrix <-> Meshtastic bridge (optional)
+
+The playbook can install and configure [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (sometimes referred to as `mmrelay`) for you — a bridge between [Matrix](https://matrix.org/) and [Meshtastic](https://meshtastic.org/) mesh networks.
+
+See the [project's documentation](https://github.com/jeremiah-k/meshtastic-matrix-relay) to learn what it does and why it might be useful to you.
+
+## Prerequisites
+
+You need a Matrix account for the bot. You can either [register the bot account manually](registering-users.md) or let the playbook create it when running `ansible-playbook … --tags=ensure-matrix-users-created`. Either way, you'll need the account's **password** to configure the bridge — unlike most other bridges in this playbook, `mmrelay` authenticates with a password and creates its own session (optionally with End-to-End Encryption material).
+
+You also need access to a Meshtastic device, connected to the server via one of:
+
+- **TCP**: the device is reachable on the network (e.g. a Meshtastic node running the TCP API),
+- **Serial**: the device is plugged in via USB and available on the host (e.g. `/dev/ttyUSB0`),
+- **BLE**: the device is reachable via Bluetooth Low Energy from the host.
+
+## Adjusting the playbook configuration
+
+To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_meshtastic_relay_enabled: true
+
+# Password for the bot's Matrix account.
+# On first startup, the bridge uses this to log in and persist credentials
+# (including End-to-End Encryption material) under its data directory.
+# After that, the password can be removed from this variable.
+matrix_meshtastic_relay_matrix_bot_password: "PASSWORD_FOR_THE_BOT"
+
+# How the bridge connects to your Meshtastic device.
+# One of: tcp, serial, ble
+matrix_meshtastic_relay_connection_type: tcp
+
+# For connection_type: tcp
+matrix_meshtastic_relay_tcp_host: "meshtastic.local"
+
+# For connection_type: serial
+# matrix_meshtastic_relay_serial_port: "/dev/ttyUSB0"
+
+# For connection_type: ble
+# matrix_meshtastic_relay_ble_address: "AA:BB:CC:DD:EE:FF"
+
+# Matrix rooms to bridge to Meshtastic channels.
+matrix_meshtastic_relay_matrix_rooms_list:
+  - id: "#meshtastic:{{ matrix_domain }}"
+    meshtastic_channel: "0"
+```
+
+By default, the bot's Matrix ID is `@meshtasticbot:{{ matrix_domain }}`. To change it, adjust `matrix_meshtastic_relay_matrix_bot_user_id`.
+
+### Bluetooth (BLE) connections
+
+When `matrix_meshtastic_relay_connection_type` is `ble`, the container runs with `--network=host` and bind-mounts the host's DBus socket — both are required for Bluetooth pairing/communication. Only use this connection type if you trust the playbook-managed host and are comfortable with these privileges.
+
+### Serial connections
+
+When `matrix_meshtastic_relay_connection_type` is `serial`, the host device referenced by `matrix_meshtastic_relay_serial_port` is passed through to the container. Make sure that `matrix_user_uid` / `matrix_user_gid` have read/write access to that device (e.g. by adding the matrix user to the `dialout` group, or adjusting udev rules).
+
+### Extending the configuration
+
+There are some additional things you may wish to configure about the bridge.
+
+Take a look at:
+
+- `roles/custom/matrix-bridge-meshtastic-relay/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override individual `matrix_meshtastic_relay_*` variables, or make finer-grained adjustments via `matrix_meshtastic_relay_configuration_extension_yaml`.
+
+## Installing
+
+After configuring the playbook, run the playbook with [playbook tags](playbook-tags.md) as below:
+
+<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`.
+
+`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
+
+## Usage
+
+Invite the bot to the Matrix rooms listed in `matrix_meshtastic_relay_matrix_rooms_list` and it will relay between Matrix and the corresponding Meshtastic channel. Messages sent on Meshtastic will appear in Matrix and vice versa.
+
+See the [project's wiki](https://github.com/jeremiah-k/meshtastic-matrix-relay/wiki) for details about commands, plugins and advanced usage.
+
+## Troubleshooting
+
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-meshtastic-relay`.
@@ -1,6 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2019 Eduardo Beltrame
-SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
+SPDX-FileCopyrightText: 2019-2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2020 Tulir Asokan
 SPDX-FileCopyrightText: 2021, 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2022 Dennis Ciba
@@ -29,13 +29,17 @@ To uninstall the service, run the command below on the server:
 systemctl disable --now matrix-conduwuit.service
 ```

+## Migrating to Tuwunel
+
+[Tuwunel](configuring-playbook-tuwunel.md) is a fork of conduwuit, [endorsed as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185) by the former conduwuit maintainer. It reads conduwuit's database directly, so migration is possible. Please refer to [this section](./configuring-playbook-tuwunel.md#migrating-from-conduwuit) for details.
+
 ## Migrating to Continuwuity

 Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.

 ## Removing data manually

-If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:
+If you are not going to migrate to [Tuwunel](configuring-playbook-tuwunel.md) or [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:

 ```sh
 rm -rf /matrix/conduwuit
@@ -46,6 +46,13 @@ Take a look at:

 There are various Ansible variables that control settings in the `continuwuity.toml` file.

+💡 By default, the playbook wires Continuwuity into a few playbook-wide settings:
+
+- if `exim_relay_enabled: true` (the default), Continuwuity SMTP is automatically enabled and pointed at the [local Exim relay](configuring-playbook-email.md) service
+- `matrix_continuwuity_config_well_known_client` is automatically set to the public homeserver URL in the usual SSL-enabled setup, which helps email verification and password-reset links work in delegated-domain setups
+
+You can override any of these defaults in your `vars.yml` file if you want Continuwuity to use a different SMTP server or a different well-known client URL.
+
 If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:

 ```yaml
@@ -23,7 +23,7 @@ The [Ansible role for exim-relay](https://github.com/mother-of-all-self-hosting/

 1. **Final delivery capability**: Can deliver emails directly if you don't have an SMTP server

-2. **Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), etc.) there—no need to configure SMTP in each component
+2. **Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), [Continuwuity](configuring-playbook-continuwuity.md), etc.) there, with no need to configure SMTP in each component

 3. **Local spooling**: Stores messages locally and retries delivery if your upstream SMTP server is temporarily unavailable

@@ -24,14 +24,14 @@ matrix_synapse_federation_domain_whitelist:

 If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below).

-## Exposing the room directory over federation
+## Controlling exposure of the room directory over federation

-By default, your server's public rooms directory is not exposed to other servers via federation.
+By default, your server's public rooms directory is exposed to other servers via federation, so that public rooms hosted on your server can be discovered by users on other servers. This goes against the Synapse upstream default (which is `false`); see the [2023-10-23 changelog entry](../CHANGELOG.md#enabling-allow_public_rooms_over_federation-by-default-for-synapse) for the reasoning behind this choice.

-To expose it, add the following configuration to your `vars.yml` file:
+To prevent your public rooms directory from being exposed over federation (restoring the Synapse upstream default), add the following configuration to your `vars.yml` file:

 ```yaml
-matrix_synapse_allow_public_rooms_over_federation: true
+matrix_synapse_allow_public_rooms_over_federation: false
 ```

 ## Disabling federation
@@ -38,6 +38,12 @@ matrix_rtc_enabled: true

 In addition to the HTTP/HTTPS ports (which you've already exposed as per the [prerequisites](prerequisites.md) document), you'll also need to open ports required by [LiveKit Server](configuring-playbook-livekit-server.md) as described in its own [Adjusting firewall rules](configuring-playbook-livekit-server.md#adjusting-firewall-rules) section.

+## Fronting the integrated reverse-proxy with another reverse-proxy
+
+If you're [fronting the integrated reverse-proxy webserver with another reverse-proxy](configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) (e.g. nginx), it needs to forward WebSocket traffic for [LiveKit Server](configuring-playbook-livekit-server.md) at the `/livekit-server/` path. Without that, Matrix RTC calls will not work.
+
+See [`examples/reverse-proxies/nginx/matrix.conf`](../examples/reverse-proxies/nginx/matrix.conf) for an nginx example.
+
 ## Installing

 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:
@@ -0,0 +1,241 @@
+<!--
+SPDX-FileCopyrightText: 2026 MDAD project contributors
+SPDX-FileCopyrightText: 2026 Jason Volk
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Configuring Tuwunel (optional)
+
+The playbook can install and configure the [Tuwunel](https://matrix-construct.github.io/tuwunel/) Matrix homeserver for you.
+
+Tuwunel is a featureful homeserver written entirely in Rust, intended as a scalable, low-cost, enterprise-ready alternative to Synapse that fully implements the [Matrix specification](https://spec.matrix.org/latest/) for all but the most niche uses. It is the official successor to [conduwuit](configuring-playbook-conduwuit.md), is now sponsored by the government of Switzerland 🇨🇭 (where it is currently deployed for citizens), and is used by a number of organisations with a vested interest in its continued development. See the project's [documentation](https://matrix-construct.github.io/tuwunel/) for further background.
+
+By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
+
+> [!WARNING]
+> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse → Tuwunel). Proceed below only if you're OK with starting over, or you're dealing with a server on a new domain name which hasn't participated in the Matrix federation yet. The one exception is migrating from conduwuit; see [Migrating from conduwuit](#migrating-from-conduwuit).
+> - **Homeserver implementations other than Synapse may not be fully functional** with every part of this playbook. Make yourself familiar with the trade-offs before proceeding.
+
+## Adjusting the playbook configuration
+
+To use Tuwunel, set the following on `inventory/host_vars/matrix.example.com/vars.yml`:
+
+```yaml
+matrix_homeserver_implementation: tuwunel
+
+# Open the registration endpoint long enough to create your first user.
+# After signing up, set this back to false.
+matrix_tuwunel_config_allow_registration: true
+
+# A registration token to protect the endpoint from abuse.
+# Generate one with `pwgen -s 64 1` or similar.
+matrix_tuwunel_config_registration_token: ''
+```
+
+The first user account that registers becomes a server admin and is automatically invited to the admin room. See [Creating the first user account](#creating-the-first-user-account) below for the bootstrap procedure.
+
+## Wiring done for you
+
+When `matrix_homeserver_implementation: tuwunel` is set, the playbook automatically integrates Tuwunel with the rest of your stack:
+
+- **Federation.** Toggled by `matrix_homeserver_federation_enabled`. The federation virtual host (port 8448 in the default setup) is wired up via Traefik labels.
+- **Well-known.** `matrix_tuwunel_config_well_known_client` is set to your public homeserver URL whenever SSL is enabled. Matrix clients use this for delegated-domain server discovery; identity-provider entries below can also omit their `callback_url`, since Tuwunel derives `<well-known>/_matrix/client/unstable/login/sso/callback/<client_id>` automatically.
+- **Element Call / MatrixRTC.** When the [LiveKit JWT service](configuring-playbook-matrix-rtc.md) is enabled, Tuwunel publishes its public URL through `.well-known/matrix/client` per [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143).
+- **Legacy calls (TURN).** When [Coturn](configuring-playbook-turn.md) is enabled, its URIs and shared secret (or username/password, depending on `coturn_authentication_method`) are wired automatically.
+
+## Extending the configuration
+
+Tuwunel exposes a large configuration surface. The role surfaces commonly used options as Ansible variables under `matrix_tuwunel_config_*`. See [`roles/custom/matrix-tuwunel/defaults/main.yml`](../roles/custom/matrix-tuwunel/defaults/main.yml) for the complete list, and [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) for the rendered configuration.
+
+For options that aren't surfaced as a dedicated variable, [environment variables](https://matrix-construct.github.io/tuwunel/configuration.html#environment-variables) are the recommended override mechanism. They take priority over the rendered TOML, are scoped to the running container, and require no template patching:
+
+```yaml
+matrix_tuwunel_environment_variables_extension: |
+  TUWUNEL_REQUEST_TIMEOUT=60
+  TUWUNEL_DNS_CACHE_SIZE=131072
+```
+
+Keys nested under a TOML section use `__` (double underscore) to descend, e.g. `TUWUNEL_WELL_KNOWN__SERVER`. User-named sections become path segments too: `TUWUNEL_STORAGE_PROVIDER__ARCHIVE__S3__URL` overrides the `url` field of the `archive` storage provider in the example below.
+
+If you need wholesale control of the configuration file, copy [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) into your inventory and point `matrix_tuwunel_template_tuwunel_config` at your copy.
+
+The container image published as `:latest` is built with `io_uring`, `jemalloc`, LDAP, blurhashing, URL preview, sentry telemetry, and zstd compression all enabled, so most opt-in features are simply a configuration toggle away.
+
+### Identity providers (OAuth2 / OIDC)
+
+Configure one or more `[[global.identity_provider]]` entries via a list. Each entry maps directly to Tuwunel's [identity-provider fields](https://matrix-construct.github.io/tuwunel/authentication/providers.html); only the fields you set are emitted. GitHub, GitLab, and Google have built-in `issuer_url` defaults so a `client_id` plus `client_secret` is enough; for any other `brand` (Apple, Facebook, Keycloak, MAS, Twitter, etc.) you must supply `issuer_url` explicitly:
+
+```yaml
+matrix_tuwunel_config_identity_providers:
+  - brand: keycloak
+    client_id: matrix
+    client_secret: '<provider secret>'
+    issuer_url: https://sso.example.com/realms/matrix
+    callback_url: https://matrix.example.com/_matrix/client/unstable/login/sso/callback/matrix
+    trusted: true
+  - brand: github
+    client_id: '<github oauth app id>'
+    client_secret: '<github oauth app secret>'
+```
+
+Self-hosted providers must supply both `client_id` and `issuer_url`. Set `trusted: true` only on providers you operate yourself; trusting a public provider (GitHub, Google, etc.) is an account-takeover risk.
+
+### LDAP
+
+Tuwunel can authenticate `m.login.password` requests against an LDAP directory and, in search-then-bind mode, keep admin status in sync with directory membership. The shipped image already includes the `ldap` build feature.
+
+```yaml
+matrix_tuwunel_config_ldap_enabled: true
+matrix_tuwunel_config_ldap_uri: ldaps://ldap.example.com:636
+matrix_tuwunel_config_ldap_base_dn: ou=users,dc=example,dc=org
+matrix_tuwunel_config_ldap_bind_dn: cn=ldap-reader,dc=example,dc=org
+matrix_tuwunel_config_ldap_bind_password_file: /etc/tuwunel/ldap.pw
+matrix_tuwunel_config_ldap_filter: '(&(objectClass=person)(memberOf=cn=matrix,ou=groups,dc=example,dc=org))'
+```
+
+> [!NOTE]
+> `bind_password_file` is read **inside the container**. The role bind-mounts `/matrix/tuwunel/config` to `/etc/tuwunel` (read-only) and `/matrix/tuwunel/data` to `/var/lib/tuwunel`. To make the file available at the path above, drop it on the host at `/matrix/tuwunel/config/ldap.pw` (owned by `matrix:matrix`) before running the playbook; the role does not template secret files for you.
+
+For direct-bind, anonymous-search, and admin-sync details, see [LDAP authentication](https://matrix-construct.github.io/tuwunel/authentication/ldap.html).
+
+### JWT login
+
+Tuwunel can accept signed JSON Web Tokens both as a login flow and as a User-Interactive Authentication step:
+
+```yaml
+matrix_tuwunel_config_jwt_enabled: true
+matrix_tuwunel_config_jwt_key: '<shared secret>'
+matrix_tuwunel_config_jwt_format: HMAC          # one of HMAC, B64HMAC, ECDSA, EDDSA
+matrix_tuwunel_config_jwt_algorithm: HS256
+matrix_tuwunel_config_jwt_audience: ['matrix']
+matrix_tuwunel_config_jwt_issuer: ['https://issuer.example.com']
+```
+
+The defaults match Synapse's `experimental_features.jwt_config` semantics, so a key + algorithm port should authenticate the same set of tokens. See [Enterprise JWT](https://matrix-construct.github.io/tuwunel/authentication/jwt.html) for the full reference, including the asymmetric (ECDSA / EdDSA) formats and the operator-controlled UIAA override flow.
+
+### Media storage providers
+
+Each entry becomes a `[global.storage_provider.<id>.<kind>]` block. `kind` is `local` or `s3`; the remaining keys map directly to the fields documented in [Storage providers](https://matrix-construct.github.io/tuwunel/media/storage.html):
+
+```yaml
+matrix_tuwunel_config_storage_providers:
+  - id: primary
+    kind: local
+    base_path: /var/lib/tuwunel/media
+
+  - id: archive
+    kind: s3
+    url: s3://my-bucket/media
+    region: us-east-1
+    key: AKIA...
+    secret: '<aws secret>'
+    multipart_threshold: 100 MiB
+```
+
+The S3 backend ships with native multipart upload, so no goofys/rclone sidecar is required. MinIO, Cloudflare R2, and DigitalOcean Spaces all work; set `endpoint` and `use_vhost_request: false` as appropriate.
+
+> [!NOTE]
+> Local provider paths must live under `/var/lib/tuwunel` (the container's data mount, persisted on the host at `/matrix/tuwunel/data`), or you must mount the target directory into the container yourself via `matrix_tuwunel_container_extra_arguments`. The container otherwise runs read-only.
+
+### RocksDB and cache tuning
+
+Tuwunel embeds RocksDB. The defaults (`rocksdb_compression_algo: zstd`) suit most deployments. For high-throughput servers you may want to enable direct I/O, raise parallelism, and bump the cache modifier:
+
+```yaml
+matrix_tuwunel_config_rocksdb_direct_io: true
+matrix_tuwunel_config_rocksdb_parallelism_threads: 8
+matrix_tuwunel_config_cache_capacity_modifier: 2.0
+matrix_tuwunel_config_database_backup_path: /var/lib/tuwunel/backups
+```
+
+If you run on ZFS, the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html#zfs) lists the dataset properties (`recordsize`, `primarycache`, `compression`, `atime`, `logbias`) and config flags (`rocksdb_direct_io`, `rocksdb_allow_fallocate`) you need to adjust to avoid severe write amplification.
+
+To enable Sentry crash reporting, set `matrix_tuwunel_config_sentry_enabled: true`.
+
+### Federation gating
+
+Tuwunel accepts regular-expression patterns at every level of remote-server filtering:
+
+```yaml
+matrix_tuwunel_config_forbidden_remote_server_names:
+  - 'bad\.example\.com$'
+matrix_tuwunel_config_forbidden_remote_room_directory_server_names:
+  - 'spam\.example\.com$'
+matrix_tuwunel_config_prevent_media_downloads_from:
+  - 'heavy\.example\.com$'
+```
+
+Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
+
+```yaml
+matrix_tuwunel_config_enable_policy_servers: true
+matrix_tuwunel_config_policy_server_request_timeout: 5
+```
+
+When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.
+
+### Default room version
+
+The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) ("Hydra"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility.
+
+## Creating the first user account
+
+Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:
+
+```sh
+# Adjust the duration if necessary or remove the --since argument.
+journalctl -u matrix-tuwunel.service --since="10 minutes ago"
+```
+
+Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit.
+
+## Configuring bridges and appservices
+
+The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:
+
+    !admin appservices register
+    ```
+    id: signal
+    url: http://matrix-mautrix-signal:29328
+    as_token: <token>
+    hs_token: <token>
+    sender_localpart: _bot_signalbot
+    rate_limited: false
+    namespaces:
+      users:
+        - exclusive: true
+          regex: '^@signal_.+:example\.org$'
+        - exclusive: true
+          regex: '^@signalbot:example\.org$'
+      aliases:
+        - exclusive: true
+          regex: '^#signal_.+:example\.org$'
+    ```
+
+Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands.
+
+## Migrating from conduwuit
+
+Tuwunel is a "binary swap" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import.
+
+1. Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides.
+2. Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`).
+3. Run `just run-tags tuwunel-migrate-from-conduwuit`.
+
+The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually.
+
+> [!CAUTION]
+> Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel).
+
+## Troubleshooting
+
+As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):
+
+```sh
+journalctl -fu matrix-tuwunel
+```
+
+Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`.
+
+For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker.
@@ -53,6 +53,8 @@ For a more custom setup, see the [Other configuration options](#other-configurat

  - [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation

+  - [Configuring Tuwunel](configuring-playbook-tuwunel.md), if you've switched to the [Tuwunel](https://matrix-construct.github.io/tuwunel/) homeserver implementation
+
  - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation

 - Server components:
@@ -182,6 +184,8 @@ Bridges can be used to connect your Matrix installation with third-party communi

 - [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md)

+- [Setting up a Matrix <-> Meshtastic bridge](configuring-playbook-bridge-meshtastic-relay.md)
+
 - [Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)

 ### Bots
@@ -28,6 +28,7 @@ We try to stick to official images (provided by their respective projects) as mu
 | [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network |
 | [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements |
 | [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. |
+| [Tuwunel](configuring-playbook-tuwunel.md) | [matrix-construct/tuwunel](https://ghcr.io/matrix-construct/tuwunel) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit. |
 | [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. |

 ## Clients
@@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra

 **Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:

- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
+- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md), [Tuwunel](./configuring-playbook-tuwunel.md) or [Dendrite](./configuring-playbook-dendrite.md))
 - if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached

 Also, all instructions below are from an older version of the playbook and may not work anymore.
@@ -27,7 +27,7 @@ To update your playbook directory and all upstream Ansible roles (defined in the
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)

-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`

 For details about `just` commands, take a look at: [Running `just` commands](just.md).

@@ -1,10 +1,10 @@
 <!--
-SPDX-FileCopyrightText: 2018 - 2023 Slavi Pantaleev
 SPDX-FileCopyrightText: 2018 Aaron Raimist
+SPDX-FileCopyrightText: 2018-2026 Slavi Pantaleev
 SPDX-FileCopyrightText: 2024 Felix Stupp
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2024 Nikita Chernyi
-SPDX-FileCopyrightText: 2024 Suguru Hirahara
+SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
 -->
@@ -36,13 +36,25 @@ If it looks good to you, go to the `matrix-docker-ansible-deploy` directory, upd
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)

-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`

 **Note**: for details about `just` commands, take a look at: [Running `just` commands](just.md).

+### Acknowledge breaking changes if any
+
+The playbook uses a migration validation system that ensures you are aware of breaking changes before they'll affect your deployment. If there is one, you are required to acknowledge each breaking change.
+
+Whenever a breaking change is introduced, the playbook will:
+
+- bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
+
+- fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
+
+After reviewing and adapting your setup, update the variable to the new version.
+
 ### Re-run the playbook setup

-After updating the Ansible roles, then re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:
+After updating the Ansible roles and the variable for the validation system when necessary, re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:

 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=install-all,start
@@ -119,7 +119,7 @@ To update your playbook directory and all upstream Ansible roles, run:
 - either: `just update`
 - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)

-If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
+If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`

 ### Run installation command

@@ -19,7 +19,7 @@ services:
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      # - ./site:/var/www
-    # Other configurations …
+      # Other configurations …

 networks:
  # add this as well
@@ -22,6 +22,27 @@ server {
    # if you use e.g. Etherpad on etherpad.example.com, add etherpad.example.com to the server_name list
    server_name example.com matrix.example.com element.example.com;

+    # Required for Matrix RTC (WebSocket proxying to LiveKit Server).
+    # See: ../../../docs/configuring-playbook-matrix-rtc.md#fronting-the-integrated-reverse-proxy-with-another-reverse-proxy
+    location /livekit-server/ {
+        proxy_pass http://localhost:81/livekit-server/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        # Long timeouts for persistent WebSocket connections
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+        proxy_buffering off;
+
+        access_log /var/log/nginx/matrix.access.log;
+        error_log /var/log/nginx/matrix.error.log;
+    }
+
    location / {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise, nginx will canonicalise the URI and cause signature verification
@@ -2,7 +2,7 @@
 # This variable acknowledges that you've reviewed breaking changes up to this version.
 # The playbook will fail if this is outdated, guiding you through what changed.
 # See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
-matrix_playbook_migration_validated_version: v2026.04.03.0
+matrix_playbook_migration_validated_version: v2026.04.24.0

 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
@@ -429,6 +429,13 @@ devture_systemd_service_manager_services_list_auto: |
      'groups': ['matrix', 'bridges', 'hookshot', 'bridge-hookshot'],
    }] if matrix_hookshot_enabled else [])
    +
+    ([{
+      'name': 'matrix-meshtastic-relay.service',
+      'priority': 2000,
+      'restart_necessary': (matrix_meshtastic_relay_restart_necessary | bool),
+      'groups': ['matrix', 'bridges', 'meshtastic-relay'],
+    }] if matrix_meshtastic_relay_enabled else [])
+    +
    ([{
      'name': 'matrix-mautrix-bluesky.service',
      'priority': 2000,
@@ -624,6 +631,7 @@ devture_systemd_service_manager_services_list_auto: |
      'restart_necessary': (
        (matrix_conduit_restart_necessary | bool) if matrix_homeserver_implementation == 'conduit'
        else (matrix_continuwuity_restart_necessary | bool) if matrix_homeserver_implementation == 'continuwuity'
+        else (matrix_tuwunel_restart_necessary | bool) if matrix_homeserver_implementation == 'tuwunel'
        else (matrix_dendrite_restart_necessary | bool) if matrix_homeserver_implementation == 'dendrite'
        else true
      ),
@@ -1001,6 +1009,7 @@ matrix_homeserver_container_client_api_endpoint: |-
      'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
      'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
+      'tuwunel': ('matrix-tuwunel:' + matrix_tuwunel_config_port_number | default('8008') | string),
    }[matrix_homeserver_implementation]
  }}

@@ -1011,6 +1020,7 @@ matrix_homeserver_container_federation_api_endpoint: |-
      'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
      'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
+      'tuwunel': ('matrix-tuwunel:' + matrix_tuwunel_config_port_number | default('8008') | string),
    }[matrix_homeserver_implementation]
  }}

@@ -1117,7 +1127,7 @@ matrix_authentication_service_config_email_port: "{{ 8025 if exim_relay_enabled
 matrix_authentication_service_config_email_mode: "{{ 'plain' if exim_relay_enabled else 'starttls' }}"
 matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_address }}"

-matrix_authentication_service_admin_api_enabled: "{{ matrix_element_admin_enabled }}"
+matrix_authentication_service_admin_api_enabled: "{{ matrix_element_admin_enabled or matrix_ketesa_enabled }}"

 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}"

@@ -1936,9 +1946,6 @@ matrix_mautrix_meta_instagram_database_password: "{{ ((matrix_homeserver_generic
 # We don't enable bridges by default.
 matrix_mautrix_telegram_enabled: false

-matrix_mautrix_telegram_hostname: "{{ matrix_server_fqn_matrix }}"
-matrix_mautrix_telegram_path_prefix: "/{{ (matrix_homeserver_generic_secret_key + ':telegram') | hash('sha512') | to_uuid }}"
-
 matrix_mautrix_telegram_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
@@ -1946,16 +1953,9 @@ matrix_mautrix_telegram_systemd_required_services_list_auto: |
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_telegram_database_hostname == postgres_connection_hostname) else [])
  }}

-matrix_mautrix_telegram_lottieconverter_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_telegram_lottieconverter_container_image_registry_prefix_upstream_default }}"
-
 matrix_mautrix_telegram_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_telegram_container_image_registry_prefix_upstream_default }}"

-# Images are multi-arch (amd64 and arm64, but not arm32).
 matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
-matrix_mautrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
-matrix_mautrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}"
-
-matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

 matrix_mautrix_telegram_container_network: "{{ matrix_addons_container_network }}"

@@ -1986,17 +1986,15 @@ matrix_mautrix_telegram_homeserver_token: "{{ (matrix_homeserver_generic_secret_

 matrix_mautrix_telegram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"

-matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: |-
+matrix_mautrix_telegram_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.telegram.prov') | hash('sha512') | to_uuid }}"
+
+matrix_mautrix_telegram_double_puppet_secrets_auto: |-
  {{
-    ({
+    {
      matrix_mautrix_telegram_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
-    })
+    }
    if matrix_appservice_double_puppet_enabled
-    else (
-      {matrix_mautrix_telegram_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
-      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
-      else {}
-    )
+    else {}
  }}

 matrix_mautrix_telegram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@@ -2501,6 +2499,39 @@ matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
 #
 ######################################################################

+######################################################################
+#
+# matrix-bridge-meshtastic-relay
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_meshtastic_relay_enabled: false
+
+matrix_meshtastic_relay_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_meshtastic_relay_container_image_registry_prefix_upstream_default }}"
+
+matrix_meshtastic_relay_matrix_host: "{{ matrix_domain }}"
+
+matrix_meshtastic_relay_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
+
+matrix_meshtastic_relay_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_meshtastic_relay_systemd_required_services_list_auto: |
+  {{
+    matrix_addons_homeserver_systemd_services_list
+  }}
+
+matrix_meshtastic_relay_container_additional_networks_auto: |
+  {{
+    ([] if matrix_addons_homeserver_container_network == '' or matrix_addons_homeserver_container_network == matrix_meshtastic_relay_container_network else [matrix_addons_homeserver_container_network])
+  }}
+
+######################################################################
+#
+# /matrix-bridge-meshtastic-relay
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mx-puppet-steam
@@ -3681,7 +3712,7 @@ ddclient_uid: "{{ matrix_user_uid }}"
 ddclient_gid: "{{ matrix_user_gid }}"

 ddclient_container_image_registry_prefix: "{{ 'localhost/' if ddclient_container_image_self_build else ddclient_container_image_registry_prefix_upstream }}"
-ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_docker_image_registry_prefix_upstream_default }}"
+ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_container_image_registry_prefix_upstream_default }}"

 ddclient_web: "https://cloudflare.com/cdn-cgi/trace"

@@ -5132,7 +5163,7 @@ matrix_ketesa_config_asManagedUsers_auto: |
    +
    ([
      '^@'+(matrix_mautrix_telegram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
-      '^@'+(matrix_mautrix_telegram_username_template | regex_escape | replace('{userid}', '.+'))+':'+(matrix_domain | regex_escape)+'$',
+      '^@telegram_(channel-)?[0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_telegram_enabled else [])
    +
    ([
@@ -5530,6 +5561,7 @@ grafana_default_home_dashboard_path: |-
      'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
      'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
      'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
+      'tuwunel': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
    }[matrix_homeserver_implementation]
  }}

@@ -5590,6 +5622,7 @@ matrix_registration_shared_secret: |-
      'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
      'conduit': '',
      'continuwuity': '',
+      'tuwunel': '',
    }[matrix_homeserver_implementation]
  }}

@@ -5760,6 +5793,12 @@ matrix_continuwuity_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_continuwuity_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"

+matrix_continuwuity_config_well_known_client: "{{ matrix_homeserver_url if matrix_playbook_ssl_enabled else '' }}"
+
+matrix_continuwuity_config_smtp_enabled: "{{ exim_relay_enabled }}"
+matrix_continuwuity_config_smtp_connection_uri: "{{ ('smtp://' ~ exim_relay_identifier ~ ':8025') if exim_relay_enabled else '' }}"
+matrix_continuwuity_config_smtp_sender: "{{ exim_relay_sender_address if exim_relay_enabled else '' }}"
+
 matrix_continuwuity_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_continuwuity_container_image_registry_prefix_upstream_default }}"

 matrix_continuwuity_container_network: "{{ matrix_homeserver_container_network }}"
@@ -5768,6 +5807,8 @@ matrix_continuwuity_container_additional_networks_auto: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_continuwuity_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
+      +
+      ([exim_relay_container_network] if (exim_relay_enabled and matrix_continuwuity_config_smtp_enabled and matrix_continuwuity_config_smtp_connection_uri == ('smtp://' ~ exim_relay_identifier ~ ':8025') and matrix_continuwuity_container_network != exim_relay_container_network) else [])
    ) | unique
  }}

@@ -5795,6 +5836,11 @@ matrix_continuwuity_config_turn_password: "{{ coturn_lt_cred_mech_password if (c

 matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"

+matrix_continuwuity_systemd_wanted_services_list_auto: |
+  {{
+    ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_continuwuity_config_smtp_enabled and matrix_continuwuity_config_smtp_connection_uri == ('smtp://' ~ exim_relay_identifier ~ ':8025')) else [])
+  }}
+
 ######################################################################
 #
 # /matrix-continuwuity
@@ -5802,6 +5848,67 @@ matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_en
 ######################################################################


+######################################################################
+#
+# matrix-tuwunel
+#
+######################################################################
+
+matrix_tuwunel_enabled: "{{ matrix_homeserver_implementation == 'tuwunel' }}"
+
+matrix_tuwunel_hostname: "{{ matrix_server_fqn_matrix }}"
+
+matrix_tuwunel_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
+
+matrix_tuwunel_config_well_known_client: "{{ matrix_homeserver_url if matrix_playbook_ssl_enabled else '' }}"
+
+matrix_tuwunel_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_tuwunel_container_image_registry_prefix_upstream_default }}"
+
+matrix_tuwunel_container_network: "{{ matrix_homeserver_container_network }}"
+
+matrix_tuwunel_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_tuwunel_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
+    ) | unique
+  }}
+
+matrix_tuwunel_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
+matrix_tuwunel_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_tuwunel_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_tuwunel_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_tuwunel_container_labels_public_client_root_redirection_enabled: "{{ matrix_tuwunel_container_labels_public_client_root_redirection_url != '' }}"
+matrix_tuwunel_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
+
+matrix_tuwunel_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
+matrix_tuwunel_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
+matrix_tuwunel_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
+
+matrix_tuwunel_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_tuwunel_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
+matrix_tuwunel_config_well_known_livekit_url: "{{ matrix_livekit_jwt_service_public_url if matrix_livekit_jwt_service_enabled else '' }}"
+
+matrix_tuwunel_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
+matrix_tuwunel_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
+matrix_tuwunel_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
+matrix_tuwunel_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
+
+matrix_tuwunel_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
+
+matrix_tuwunel_systemd_wanted_services_list_auto: |
+  {{
+    ([coturn_identifier ~ '.service'] if coturn_enabled else [])
+  }}
+
+######################################################################
+#
+# /matrix-tuwunel
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-user-creator
@@ -163,7 +163,7 @@ msgid "Granting Users the ability to use D4A"
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:97
-msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended."
+msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recommended."
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:99
@@ -162,7 +162,7 @@ msgid "Granting Users the ability to use D4A"
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:97
-msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended."
+msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recommended."
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:99
@@ -1,19 +1,19 @@
 alabaster==1.0.0
 babel==2.18.0
-certifi==2026.2.25
+certifi==2026.4.22
 charset-normalizer==3.4.7
-click==8.3.2
+click==8.3.3
 docutils==0.22.4
-idna==3.11
+idna==3.13
 imagesize==2.0.0
 Jinja2==3.1.6
 linkify-it-py==2.1.0
-markdown-it-py==4.0.0
+markdown-it-py==4.2.0
 MarkupSafe==3.0.3
-mdit-py-plugins==0.5.0
+mdit-py-plugins==0.6.0
 mdurl==0.1.2
 myst-parser==5.0.0
-packaging==26.1
+packaging==26.2
 Pygments==2.20.0
 PyYAML==6.0.3
 requests==2.33.1
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.10.0
 uc-micro-py==2.0.0
-urllib3==2.6.3
+urllib3==2.7.0
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:59+0100\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -188,6 +188,18 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-continuwuity.md)"
 msgstr ""

+#: ../../../README.md:0
+msgid "[Tuwunel](https://matrix-construct.github.io/tuwunel/)"
+msgstr ""
+
+#: ../../../README.md:0
+msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit."
+msgstr ""
+
+#: ../../../README.md:0
+msgid "[Link](docs/configuring-playbook-tuwunel.md)"
+msgstr ""
+
 #: ../../../README.md:0
 msgid "[Dendrite](https://github.com/element-hq/dendrite)"
 msgstr ""
@@ -200,11 +212,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-dendrite.md)"
 msgstr ""

-#: ../../../README.md:58
+#: ../../../README.md:59
 msgid "Clients"
 msgstr ""

-#: ../../../README.md:60
+#: ../../../README.md:61
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""

@@ -276,11 +288,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-client-fluffychat-web.md)"
 msgstr ""

-#: ../../../README.md:71
+#: ../../../README.md:72
 msgid "Server Components"
 msgstr ""

-#: ../../../README.md:73
+#: ../../../README.md:74
 msgid "Services that run on the server to make the various parts of your installation work."
 msgstr ""

@@ -368,11 +380,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-matrix-rtc.md)"
 msgstr ""

-#: ../../../README.md:85
+#: ../../../README.md:86
 msgid "Authentication"
 msgstr ""

-#: ../../../README.md:87
+#: ../../../README.md:88
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""

@@ -460,11 +472,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-synapse-simple-antispam.md)"
 msgstr ""

-#: ../../../README.md:99
+#: ../../../README.md:100
 msgid "File Storage"
 msgstr ""

-#: ../../../README.md:101
+#: ../../../README.md:102
 msgid "Use alternative file storage to the default `media_store` folder."
 msgstr ""

@@ -500,11 +512,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-matrix-media-repo.md)"
 msgstr ""

-#: ../../../README.md:109
+#: ../../../README.md:110
 msgid "Bridges"
 msgstr ""

-#: ../../../README.md:111
+#: ../../../README.md:112
 msgid "Bridges can be used to connect your Matrix installation with third-party communication networks."
 msgstr ""

@@ -748,6 +760,18 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bridge-heisenbridge.md)"
 msgstr ""

+#: ../../../README.md:0
+msgid "[meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay)"
+msgstr ""
+
+#: ../../../README.md:0
+msgid "Bridge to [Meshtastic](https://meshtastic.org/) mesh networks"
+msgstr ""
+
+#: ../../../README.md:0
+msgid "[Link](docs/configuring-playbook-bridge-meshtastic-relay.md)"
+msgstr ""
+
 #: ../../../README.md:0
 msgid "[mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme)"
 msgstr ""
@@ -784,11 +808,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bridge-postmoogle.md)"
 msgstr ""

-#: ../../../README.md:139
+#: ../../../README.md:141
 msgid "Bots"
 msgstr ""

-#: ../../../README.md:141
+#: ../../../README.md:143
 msgid "Bots provide various additional functionality to your installation."
 msgstr ""

@@ -888,11 +912,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-bot-buscarron.md)"
 msgstr ""

-#: ../../../README.md:154
+#: ../../../README.md:156
 msgid "Administration"
 msgstr ""

-#: ../../../README.md:156
+#: ../../../README.md:158
 msgid "Services that help you in administrating and monitoring your Matrix installation."
 msgstr ""

@@ -980,11 +1004,11 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-synapse-usage-exporter.md)"
 msgstr ""

-#: ../../../README.md:168
+#: ../../../README.md:170
 msgid "Misc"
 msgstr ""

-#: ../../../README.md:170
+#: ../../../README.md:172
 msgid "Various services that don't fit any other categories."
 msgstr ""

@@ -1108,54 +1132,54 @@ msgstr ""
 msgid "[Link](docs/configuring-playbook-element-call.md)"
 msgstr ""

-#: ../../../README.md:185
+#: ../../../README.md:187
 msgid "🆕 Changes"
 msgstr ""

-#: ../../../README.md:187
+#: ../../../README.md:189
 msgid "This playbook evolves over time, sometimes with backward-incompatible changes."
 msgstr ""

-#: ../../../README.md:189
+#: ../../../README.md:191
 msgid "When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new."
 msgstr ""

-#: ../../../README.md:191
+#: ../../../README.md:193
 msgid "🆘 Support"
 msgstr ""

-#: ../../../README.md:193
+#: ../../../README.md:195
 msgid "Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com)"
 msgstr ""

-#: ../../../README.md:195
+#: ../../../README.md:197
 msgid "IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697)"
 msgstr ""

-#: ../../../README.md:197
+#: ../../../README.md:199
 msgid "GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)"
 msgstr ""

-#: ../../../README.md:199
+#: ../../../README.md:201
 msgid "🌐 Translation"
 msgstr ""

-#: ../../../README.md:201
+#: ../../../README.md:203
 msgid "See the [i18n/README.md](i18n/README.md) file for more information about translation."
 msgstr ""

-#: ../../../README.md:203
+#: ../../../README.md:205
 msgid "Translations are still work in progress."
 msgstr ""

-#: ../../../README.md:205
+#: ../../../README.md:207
 msgid "🤝 Related"
 msgstr ""

-#: ../../../README.md:207
+#: ../../../README.md:209
 msgid "You may also be interested in [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) - another Ansible playbook for self-hosting non-Matrix services (see its [List of supported services](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md))."
 msgstr ""

-#: ../../../README.md:209
+#: ../../../README.md:211
 msgid "mash-playbook also makes use of [Traefik](./docs/configuring-playbook-traefik.md) as its reverse-proxy, so with minor [interoperability adjustments](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md), you can make matrix-docker-ansible-deploy and mash-playbook co-exist and host Matrix and non-Matrix services on the same server."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 14:00+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,167 +16,215 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:8
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:9
 msgid "Setting up Draupnir for All/D4A (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:10
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:11
 msgid "The playbook can install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation tool for you in appservice mode."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:12
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:13
 msgid "Appservice mode can be used together with the regular [Draupnir bot](configuring-playbook-bot-draupnir.md) or independently. Details about the differences between the 2 modes are described below."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:14
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:15
 msgid "Draupnir Appservice mode compared to Draupnir bot mode"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:16
-msgid "The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode except in the case of avatar customisation as described later on in this document."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:17
+msgid "The administrative functions for managing the appservice are alpha quality and very limited. However, the experience of using an appservice-provisioned Draupnir is on par with the experience of using Draupnir from bot mode."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:18
-msgid "Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All (Even though the commands do show up in help)."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:19
+msgid "Draupnir for all is the way to go if you need more than 1 Draupnir instance, but you don't need access to Synapse Admin features as they are not accessible through Draupnir for All."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:20
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:21
 msgid "Draupnir for all in the playbook is rate-limit-exempt automatically as its appservice configuration file does not specify any rate limits."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:22
-msgid "Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as D4A even on the branch with the Avatar command (To be Upstreamed to Mainline Draupnir) that command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this is a quick operation where you login to Draupnir with a normal client and set Avatar and Display name normally."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:23
+msgid "Normal Draupnir does come with the benefit of access to Synapse Admin features. You are also able to more easily customise your normal Draupnir than D4A as the avatar command is clunky as it requires the use of things like Element Web devtools. In normal Draupnir this can be done while logged in to the Draupnir account with a normal client and set Avatar and Display name normally."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:24
-msgid "Draupnir for all does not support external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:25
+msgid "Draupnir for all only has limited support for external tooling like [MRU](https://mru.rory.gay) as it can't access Draupnir's user account."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:26
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:27
 msgid "Prerequisites"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:28
-msgid "Create a main management room"
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:29
+msgid "Prerequisites for Zero Touch Deployment (recommended)"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:30
-msgid "The playbook does not create a management room for your Main Draupnir. You **need to create the room manually** before setting up the bot."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:31
+msgid "As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir Appservice Mode (Draupnir for all) requires you to supply the following:"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:32
-msgid "Note that the room must be unencrypted."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:33
+msgid "MXID of the first person who gets invited to the admin room that the bot creates for you."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:34
-msgid "The management room has to be given an alias, and your bot has to be invited to the room."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:35
+msgid "That is all. The appservice manages everything on its own after you provide it with an MXID to invite."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:36
-msgid "This management room is used to control who has access to your D4A deployment. The room stores this data inside of the control room state so your bot must have sufficient powerlevel to send custom state events. This is default 50 or moderator as Element clients call this powerlevel."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:37
+msgid "If proceeding with Zero Touch Deployment, skip ahead to [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:38
-msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:39
+msgid "Create an admin room (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:41
-msgid "Adjusting the playbook configuration"
+msgid "The playbook does not create an admin room for your Draupnir, but the appservice itself can do this for you. Alternatively, you **can create the room manually** before setting up the bot."
 msgstr ""

 #: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:43
-msgid "Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE`."
+msgid "Note that the room must be unencrypted."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:51
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:45
+msgid "The admin room has to be given an alias, and your bot has to be invited to the room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:47
+msgid "This admin room is used to control who has access to your D4A deployment. The room stores this data in the control room state, so your bot must have sufficient power level to send custom state events. This is `50` by default (moderator, as Element clients call this power level)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:49
+msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:52
+msgid "Adjusting the playbook configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:54
+msgid "When using Zero Touch Deployment, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the admin room first."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:64
+msgid "If opting out of Zero Touch Deployment, use the following configuration block instead. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE` with the alias of the admin room you have created earlier."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:72
+msgid "Running both bot mode and appservice mode"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:74
+msgid "When running both [bot mode](./configuring-playbook-bot-draupnir.md) and appservice mode, the playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build. This is due to the conditional restart logic not being able to reliably tell when an update happened."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:78
+msgid "Conditional restarts work correctly for all tags when running only one of these two operating modes."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:80
 msgid "Extending the configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:53
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:82
 msgid "There are some additional things you may wish to configure about the component."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:55
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:84
 msgid "Take a look at:"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:57
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:86
 msgid "`roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_appservice_draupnir_for_all_configuration_extension_yaml` variable"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:59
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:88
 msgid "For example, to change Draupnir's `protectAllJoinedRooms` option to `true`, add the following configuration to your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:73
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:102
 msgid "You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for more configuration documentation."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:75
-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:90
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:104
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:119
 msgid "**Notes**:"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:77
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:106
 msgid "The playbook ships a full copy of the example config that does transfer to provisioned Draupnirs in the production-bots.yaml.j2 file in the template directory of the role."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:79
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:108
 msgid "Config extension does not affect the appservices config as this config is not extensible in current Draupnir anyway. It instead touches the config passed to the Draupnirs that your Appservice creates. So the example above (`protectAllJoinedRooms: true`) makes all provisioned Draupnirs protect all joined rooms."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:81
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:110
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:83
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:112
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:92
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:121
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:94
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:123
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:96
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:125
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:98
-msgid "If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:127
+msgid "If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com`, you have successfully installed Draupnir for All and can now start using it."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:100
-msgid "The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:129
+msgid "If using Zero Touch Deployment, the flow is reversed and the success signal is the initial manager account being invited to the admin room."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:102
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:131
+msgid "Draupnir for all installation via this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode, except that protections requiring homeserver admin access are not available, and the config file is shared between all bots so legacy protections like wordlist share a single global config."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:133
 msgid "Granting Users the ability to use D4A"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:104
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:135
 msgid "Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:106
-msgid "The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))"
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:137
+msgid "The bot requires a power level of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297).) This issue is largely mitigated by the Zero Touch Deployment workflows introduced in Draupnir 3.1.0."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:108
-msgid "To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:139
+msgid "To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to provision a bot. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:110
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:141
 msgid "How to provision a D4A once you are allowed to"
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:112
-msgid "To provision a D4A, you need to start a chat with `@draupnir-main:example.com`. The bot will reject this invite and you will shortly get invited to the Draupnir control room for your newly provisioned Draupnir. From here its just a normal Draupnir experience."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:143
+msgid "Once someone is allowed to provision a bot, simply provision them one with `!admin provision MXID`."
 msgstr ""

-#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:114
-msgid "Congratulations if you made it all the way here because you now have a fully working Draupnir for all deployment."
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:145
+msgid "Self-service provisioning is disabled as a security measure because it is currently bugged. Force-provisioning (with `!admin provision`) bypasses this disabled status."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:147
+msgid "Note that you should always make sure there is an allow entry matching whoever is provisioned, because once self-service is fixed, the bot of anyone who is not allowed to provision a bot will refuse to start."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-appservice-draupnir-for-all.md:149
+msgid "Congratulations if you made it all the way here, because you now have a fully working Draupnir for all deployment."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-07 14:00+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,419 +16,487 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"

-#: ../../../docs/configuring-playbook-bot-draupnir.md:10
+#: ../../../docs/configuring-playbook-bot-draupnir.md:11
 msgid "Setting up Draupnir (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:12
+#: ../../../docs/configuring-playbook-bot-draupnir.md:13
 msgid "The playbook can install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation bot for you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:14
+#: ../../../docs/configuring-playbook-bot-draupnir.md:15
 msgid "See the project's [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) to learn what it does and why it might be useful to you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:16
+#: ../../../docs/configuring-playbook-bot-draupnir.md:17
 msgid "This documentation page is about installing Draupnir in bot mode. As an alternative, you can run a multi-instance Draupnir deployment by installing [Draupnir in appservice mode](./configuring-playbook-appservice-draupnir-for-all.md) (called Draupnir-for-all) instead."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:18
+#: ../../../docs/configuring-playbook-bot-draupnir.md:19
 msgid "If your migrating from [Mjolnir](configuring-playbook-bot-mjolnir.md), skip to [this section](#migrating-from-mjolnir-only-required-if-migrating)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:20
+#: ../../../docs/configuring-playbook-bot-draupnir.md:21
 msgid "Prerequisites"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:22
-msgid "Create a management room"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:23
+msgid "Prerequisites for Zero Touch Deployment (recommended)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:24
-msgid "Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:25
+msgid "As of Draupnir 3.1.0, Zero Touch Deployment of Draupnir bot mode requires you to supply the following:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:26
-msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:27
+msgid "MXID of the first person who gets invited to the management room that the bot creates for you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:28
+msgid "A permanent access token for authentication. Instructions for obtaining one can be found at [obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:29
-msgid "It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support))."
+msgid "A user account for Draupnir."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:31
-msgid "Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking \"Advanced\". The room ID will look something like `!qporfwt:example.com`."
+msgid "Zero Touch Deployment is the officially preferred installation method for new deployments of Draupnir as of 3.1.0."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:33
-msgid "End-to-End Encryption support"
+msgid "Create a management room (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:35
-msgid "Decide whether you want to support having an encrypted management room or not. Draupnir can still protect encrypted rooms without encryption support enabled."
+msgid "Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:37
+msgid "[!WARNING] Anyone in this room can control the bot so it is important that you only invite trusted users to this room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:40
+msgid "It is possible to make the management room encrypted (E2EE). If doing so, then you need to enable the native E2EE support (see [below](#native-e2ee-support))."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:42
+msgid "E2EE support for the management room is mutually exclusive with Zero Touch Deployment of Draupnir."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:44
+msgid "Once you have created the room you need to copy the room ID so you can specify it on your `inventory/host_vars/matrix.example.com/vars.yml` file. In Element Web you can check the ID by going to the room's settings and clicking \"Advanced\". The room ID will look something like `!qporfwt:example.com`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:46
+msgid "End-to-End Encryption support"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:48
+msgid "Decide whether you want to support having an encrypted management room or not. Draupnir can still protect encrypted rooms without encryption support enabled."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:50
 msgid "Refer to Draupnir's [documentation](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#protecting-encrypted-rooms) for more details about why you might want to care about encryption support for protected rooms."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:39
+#: ../../../docs/configuring-playbook-bot-draupnir.md:52
 msgid "Disable Pantalaimon for Draupnir (since v2.0.0; optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:41
+#: ../../../docs/configuring-playbook-bot-draupnir.md:54
 msgid "It is known that running Draupnir along with Pantalaimon breaks all workflows that involve answering prompts with reactions."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:43
+#: ../../../docs/configuring-playbook-bot-draupnir.md:56
 msgid "If you are updating Draupnir from v1.x.x and have enabled Pantalaimon for it, you can disable Pantalaimon in favor of the native E2EE support. To disable Pantalaimon, remove the configuration `matrix_bot_draupnir_pantalaimon_use: true` from your `vars.yml` file."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:45
+#: ../../../docs/configuring-playbook-bot-draupnir.md:58
 msgid "**Note**: because the management room is still encrypted, disabling it without enabling the native E2EE support will break the management room."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:47
+#: ../../../docs/configuring-playbook-bot-draupnir.md:60
 msgid "Native E2EE support"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:49
+#: ../../../docs/configuring-playbook-bot-draupnir.md:62
 msgid "To enable the native E2EE support, you need to obtain an access token for Draupnir and set it on your `vars.yml` file."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:51
+#: ../../../docs/configuring-playbook-bot-draupnir.md:64
 msgid "Note that native E2EE requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it. **The access token obtained via Element Web does not work with it**. Refer to the documentation on [how to obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:53
+#: ../../../docs/configuring-playbook-bot-draupnir.md:66
 msgid "To enable the native E2EE support, add the following configuration to your `vars.yml` file. Make sure to replace `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained just now."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:64
+#: ../../../docs/configuring-playbook-bot-draupnir.md:77
 msgid "Adjusting the playbook configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:66
-msgid "To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the one of the room which you have created earlier."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:79
+msgid "Configuration for Zero Touch Deployment (recommended)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:85
-msgid "Create and invite the bot to the management room"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:87
-msgid "Before proceeding to the next step, run the playbook with the following command to create the bot user."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:93
-msgid "**Note**: the `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:81
+msgid "To enable the bot using Zero Touch Deployment, add the following configuration to your `vars.yml` file. Make sure to replace `INITIAL_MANAGER_MXID_HERE` with the MXID of the user who should be invited to the management room first, and `CLEAN_ACCESS_TOKEN_HERE` with the access token you obtained."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:95
-msgid "Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier."
+msgid "Configuration without Zero Touch Deployment"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:97
-msgid "Make sure the account is free from rate limiting (optional, recommended)"
+msgid "If you'd prefer to have the bot manage its own login at the cost of having to create the management room manually, you can use native login with the configuration block below. Make sure to replace `MANAGEMENT_ROOM_ID_HERE` with the ID of the management room you have created earlier."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:99
-msgid "If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:116
+msgid "Running both bot mode and appservice mode"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:101
-msgid "This can be done using Synapse's [Admin APIs](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). They can be accessed both externally and internally."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:103
-msgid "**Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints)."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:105
-msgid "The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a web UI tool you can use to administrate users, rooms, media, etc. on your Matrix server. The playbook can install and configure Ketesa for you. For details about it, see [this page](configuring-playbook-ketesa.md)."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:107
-msgid "Add the configuration"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:109
-msgid "To expose the APIs publicly, add the following configuration to your `vars.yml` file:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:115
-msgid "Obtain an access token for admin account"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:117
-msgid "Manual access to Synapse's Admin APIs requires an access token for a homeserver admin account. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:119
-msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:118
+msgid "When running both bot mode and [appservice mode (Draupnir for all)](./configuring-playbook-appservice-draupnir-for-all.md), the playbook will force-restart the bot if running a non-release tag like `latest` or `main` or a development build. This is due to the conditional restart logic not being able to reliably tell when an update happened."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:122
-msgid "Run the `curl` command"
+msgid "Conditional restarts work correctly for all tags when running only one of these two operating modes."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:124
-msgid "To disable rate limiting, run the following command on systems that ship curl. Before running it, make sure to replace:"
+msgid "Create and invite the bot to the management room (only when using native login without Zero Touch Deployment)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:126
-msgid "`ADMIN_ACCESS_TOKEN_HERE` with the access token of the admin account"
+msgid "Before proceeding to the next step, run the playbook with the following command to create the bot user."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:127
-msgid "`example.com` with your base domain"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:128
-msgid "`@bot.draupnir:example.com` with the MXID of your Draupnir bot user"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:132
+msgid "**Note**: the `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:134
-#: ../../../docs/configuring-playbook-bot-draupnir.md:207
-msgid "**Notes**:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:135
-msgid "This does not work on outdated Windows 10 as curl is not available there."
+msgid "Then, invite the bot (`@bot.draupnir:example.com`) to its management room which you have created earlier."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:136
-msgid "Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally."
+msgid "Creating a user account for the bot (when using Zero Touch Deployment)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:138
-msgid "Abuse Reports"
+msgid "Since Zero Touch Deployment is not validated with native login, you will need to create the user account manually."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:140
-msgid "Draupnir can receive reports in the management room."
+msgid "Refer to [registering users](registering-users.md) for documentation on how to configure the user account."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:142
-msgid "The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:"
+msgid "Make sure the account is free from rate limiting (optional, recommended)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:144
+msgid "If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a highly recommended step. If you do not configure it, Draupnir performance will be degraded.**"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:146
+msgid "This can be done using Synapse's [Admin APIs](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). They can be accessed both externally and internally."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:148
-msgid "Enabling synapse-http-antispam support"
+msgid "**Note**: access to the APIs is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, doing so is not recommended for additional security. See [official Synapse reverse-proxying recommendations](https://element-hq.github.io/synapse/latest/reverse_proxy.html#synapse-administration-endpoints)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:150
-msgid "Certain protections in Draupnir require the [synapse-http-antispam](https://github.com/maunium/synapse-http-antispam) module and a Synapse homeserver plus homeserver admin status to function. This module can be enabled in the playbook via setting `matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled` to `true` and making sure that Draupnir admin API access is enabled."
+msgid "The APIs can also be accessed via [Ketesa](https://github.com/etkecc/ketesa), a web UI tool you can use to administrate users, rooms, media, etc. on your Matrix server. The playbook can install and configure Ketesa for you. For details about it, see [this page](configuring-playbook-ketesa.md)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:152
+msgid "Add the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:154
+msgid "This is automatically done if Ketesa is enabled. Otherwise, to expose the APIs publicly, add the following configuration to your `vars.yml` file:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:160
-msgid "These protections need to be manually activated and consulting the [enabling protections](#enabling-built-in-protections) guide can be helpful or consulting upstream documentation."
+msgid "Obtain an access token for admin account"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:168
-msgid "Extending the configuration"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:162
+msgid "Manual access to Synapse's Admin APIs requires an access token for a homeserver admin account. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:170
-msgid "There are some additional things you may wish to configure about the bot."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:164
+msgid "[!WARNING] Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:167
+msgid "Run the `curl` command"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:169
+msgid "To disable rate limiting, run the following command on systems that ship curl. Before running it, make sure to replace:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:171
+msgid "`ADMIN_ACCESS_TOKEN_HERE` with the access token of the admin account"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:172
-msgid "Take a look at:"
+msgid "`example.com` with your base domain"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:174
-msgid "`roles/custom/matrix-bot-draupnir/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_bot_draupnir_configuration_extension_yaml` variable"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:173
+msgid "`@bot.draupnir:example.com` with the MXID of your Draupnir bot user"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:176
-msgid "For example, to change Draupnir's `acceptInvitesFromSpace` option to `!qporfwt:example.com`, add the following configuration to your `vars.yml` file:"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:179
+#: ../../../docs/configuring-playbook-bot-draupnir.md:254
+msgid "**Notes**:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:190
-msgid "Migrating from Mjolnir (Only required if migrating)"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:181
+msgid "This does not work on outdated Windows 10 as curl is not available there."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:192
-msgid "Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable Mjolnir if you're doing migration."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:182
+msgid "Even if the APIs are not exposed to the internet, you should still be able to run the command on the homeserver locally."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:184
+msgid "Abuse Reports"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:186
+msgid "Draupnir can receive reports in the management room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:188
+msgid "The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:194
-msgid "Note that Draupnir supports E2EE natively, so you can enable it instead of Pantalaimon. It is recommended to consult the instruction [here](#native-e2ee-support)."
+msgid "Enabling synapse-http-antispam support"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:196
-msgid "That is all you need to do due to that Draupnir can complete migration on its own."
+msgid "Certain protections in Draupnir require the [synapse-http-antispam](https://github.com/maunium/synapse-http-antispam) module and a Synapse homeserver plus homeserver admin status to function. This module can be enabled in the playbook via setting `matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled` to `true` and making sure that Draupnir admin API access is enabled."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:198
-msgid "Installing"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:206
+msgid "These protections need to be manually activated. Consulting the [enabling protections](#enabling-built-in-protections) guide and/or upstream documentation can be helpful."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:200
-msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:209
-msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:211
-msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:213
-msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
+#: ../../../docs/configuring-playbook-bot-draupnir.md:208
+msgid "The other method polls a Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin. To enable it, set `pollReports: true` in your `vars.yml` file as below:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:215
-msgid "If you change the bot password (`matrix_bot_draupnir_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [Ketesa](configuring-playbook-ketesa.md) to change it, and then update `matrix_bot_draupnir_password` to let the bot know its new password."
+msgid "Extending the configuration"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:217
-msgid "Usage"
+msgid "There are some additional things you may wish to configure about the bot."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:219
-msgid "You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide."
+msgid "Take a look at:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:221
-msgid "Below is a **non-exhaustive quick-start guide** for the impatient."
+msgid "`roles/custom/matrix-bot-draupnir/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_bot_draupnir_configuration_extension_yaml` variable"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:223
-msgid "Making Draupnir join and protect a room"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:225
-msgid "Draupnir can be told to self-join public rooms, but it's better to follow this flow which works well for all kinds of rooms:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:227
-msgid "Invite the bot to the room manually ([inviting Draupnir to rooms](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#inviting-draupnir-to-rooms)). Before joining, the bot *may* ask for confirmation in the Management Room"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:229
-msgid "[Give the bot permissions to do its job](#giving-draupnir-permissions-to-do-its-job)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:231
-msgid "Tell it to protect the room (using the [rooms command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#using-the-draupnir-rooms-command)) by sending the following command to the Management Room: `!draupnir rooms add !qporfwt:example.com`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:233
-msgid "To have Draupnir provide useful room protection, you need do to a bit more work (at least the first time around). You may wish to [Subscribe to a public policy list](#subscribing-to-a-public-policy-list), [Create your own own policy and rules](#creating-your-own-policy-lists-and-rules) and [Enabling built-in protections](#enabling-built-in-protections)."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:235
-msgid "Giving Draupnir permissions to do its job"
+msgid "For example, to change Draupnir's `acceptInvitesFromSpace` option to `!qporfwt:example.com`, add the following configuration to your `vars.yml` file:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:237
-msgid "For Draupnir to do its job, you need to [give it permissions](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#giving-draupnir-permissions) in rooms it's protecting. This involves **giving it an Administrator power level**."
+msgid "Migrating from Mjolnir (Only required if migrating)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:239
-msgid "**We recommend setting this power level as soon as the bot joins your room** (and before you create new rules), so that it can apply rules as soon as they are available. If the bot is under-privileged, it may fail to apply protections and may not retry for a while (or until your restart it)."
+msgid "Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable Mjolnir if you're doing migration."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:241
-msgid "Subscribing to a public policy list"
+msgid "Note that Draupnir supports E2EE natively, so you can enable it instead of Pantalaimon. It is recommended to consult the instruction [here](#native-e2ee-support)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:243
-msgid "We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms)."
+msgid "That is all you need to do due to that Draupnir can complete migration on its own."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:245
-msgid "Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:"
+msgid "Installing"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:247
-msgid "`#community-moderation-effort-bl:neko.dev`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:248
-msgid "`#huginn-muninn-active-threats:feline.support`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:250
-msgid "You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:252
-msgid "Creating your own policy lists and rules"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:254
-msgid "We also recommend **creating your own policy lists** with the [list create](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-list-create-command-to-create-a-policy-room) command."
+msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:256
-msgid "You can do so by sending the following command to the Management Room: `!draupnir list create my-bans my-bans-bl`. This will create a policy list having a name (shortcode) of `my-bans` and stored in a public `#my-bans-bl:example.com` room on your server. As soon as you run this command, the bot will invite you to the policy list room."
+msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:258
-msgid "A policy list does nothing by itself, so the next step is **adding some rules to your policy list**. Policies target a so-called `entity` (one of: `user`, `room` or `server`). These entities are mentioned on the [policy lists](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists) documentation page and in the Matrix Spec [here](https://spec.matrix.org/v1.11/client-server-api/#mban-recommendation)."
+msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:260
-msgid "The simplest and most useful entity to target is `user`. Below are a few examples using the [ban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-ban-command) and targeting users."
+msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:262
-msgid "To create rules, you run commands in the Management Room (**not** in the policy list room)."
+msgid "If you change the bot password (`matrix_bot_draupnir_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [Ketesa](configuring-playbook-ketesa.md) to change it, and then update `matrix_bot_draupnir_password` to let the bot know its new password."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:264
-msgid "(ban a single user on a given homeserver): `!draupnir ban @charles:example.com my-bans Rude to others`"
+msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:265
-msgid "(ban all users on a given homeserver by using a [wildcard](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#wildcards)): `!draupnir ban @*:example.org my-bans Spam server, all users are fake`"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:266
+msgid "You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide."
 msgstr ""

-#: ../../../docs/configuring-playbook-bot-draupnir.md:267
-msgid "As a result of running these commands, you may observe:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bot-draupnir.md:269
-msgid "Draupnir creating `m.policy.rule.user` state events in the `#my-bans-bl:example.com` room on your server"
+#: ../../../docs/configuring-playbook-bot-draupnir.md:268
+msgid "Below is a **non-exhaustive quick-start guide** for the impatient."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:270
-msgid "applying these rules against all rooms that Draupnir is an Administrator in"
+msgid "Making Draupnir join and protect a room"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:272
-msgid "You can undo bans with the [unban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-unban-command)."
+msgid "Draupnir can be told to self-join public rooms, but it's better to follow this flow which works well for all kinds of rooms:"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:274
-msgid "Enabling built-in protections"
+msgid "Invite the bot to the room manually ([inviting Draupnir to rooms](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#inviting-draupnir-to-rooms)). Before joining, the bot *may* ask for confirmation in the Management Room"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:276
-msgid "You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` (\"If X amount of users join in Y time, set the room to invite-only\")."
+msgid "[Give the bot permissions to do its job](#giving-draupnir-permissions-to-do-its-job)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:278
-msgid "To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room."
+msgid "Tell it to protect the room (using the [rooms command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#using-the-draupnir-rooms-command)) by sending the following command to the Management Room: `!draupnir rooms add !qporfwt:example.com`"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:280
-msgid "To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`)."
+msgid "To have Draupnir provide useful room protection, you need do to a bit more work (at least the first time around). You may wish to [Subscribe to a public policy list](#subscribing-to-a-public-policy-list), [Create your own own policy and rules](#creating-your-own-policy-lists-and-rules) and [Enabling built-in protections](#enabling-built-in-protections)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:282
-msgid "To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`)."
+msgid "Giving Draupnir permissions to do its job"
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:284
-msgid "To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`)."
+msgid "For Draupnir to do its job, you need to [give it permissions](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#giving-draupnir-permissions) in rooms it's protecting. This involves **giving it an Administrator power level**."
 msgstr ""

 #: ../../../docs/configuring-playbook-bot-draupnir.md:286
+msgid "**We recommend setting this power level as soon as the bot joins your room** (and before you create new rules), so that it can apply rules as soon as they are available. If the bot is under-privileged, it may fail to apply protections and may not retry for a while (or until your restart it)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:288
+msgid "Subscribing to a public policy list"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:290
+msgid "We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:292
+msgid "Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:294
+msgid "`#community-moderation-effort-bl:neko.dev`"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:295
+msgid "`#huginn-muninn-active-threats:feline.support`"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:297
+msgid "You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:299
+msgid "Creating your own policy lists and rules"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:301
+msgid "We also recommend **creating your own policy lists** with the [list create](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-list-create-command-to-create-a-policy-room) command."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:303
+msgid "You can do so by sending the following command to the Management Room: `!draupnir list create my-bans my-bans-bl`. This will create a policy list having a name (shortcode) of `my-bans` and stored in a public `#my-bans-bl:example.com` room on your server. As soon as you run this command, the bot will invite you to the policy list room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:305
+msgid "A policy list does nothing by itself, so the next step is **adding some rules to your policy list**. Policies target a so-called `entity` (one of: `user`, `room` or `server`). These entities are mentioned on the [policy lists](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists) documentation page and in the Matrix Spec [here](https://spec.matrix.org/v1.11/client-server-api/#mban-recommendation)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:307
+msgid "The simplest and most useful entity to target is `user`. Below are a few examples using the [ban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-ban-command) and targeting users."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:309
+msgid "To create rules, you run commands in the Management Room (**not** in the policy list room)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:311
+msgid "(ban a single user on a given homeserver): `!draupnir ban @charles:example.com my-bans Rude to others`"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:312
+msgid "(ban all users on a given homeserver by using a [wildcard](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#wildcards)): `!draupnir ban @*:example.org my-bans Spam server, all users are fake`"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:314
+msgid "As a result of running these commands, you may observe:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:316
+msgid "Draupnir creating `m.policy.rule.user` state events in the `#my-bans-bl:example.com` room on your server"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:317
+msgid "applying these rules against all rooms that Draupnir is an Administrator in"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:319
+msgid "You can undo bans with the [unban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-unban-command)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:321
+msgid "Enabling built-in protections"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:323
+msgid "You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` (\"If X amount of users join in Y time, set the room to invite-only\")."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:325
+msgid "To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:327
+msgid "To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:329
+msgid "To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:331
+msgid "To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bot-draupnir.md:333
 msgid "To **disable a given protection**, send a command like this: `!draupnir protections disable PROTECTION_NAME` (e.g. `!draupnir protections disable JoinWaveShortCircuitProtection`)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,242 +16,22 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"

-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:12
-msgid "Setting up Appservice Slack bridging (optional)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:14
-msgid "**Notes**:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:15
-msgid "Bridging to [Slack](https://slack.com) can also happen via the [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridge supported by the playbook."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:16
-msgid "Currently (as of November, 2024) **this component is not available for new installation unless you have already created a classic Slack application** (which the bridge makes use of in order to enable bridging between Slack and Matrix), because the creation of classic Slack applications has been discontinued since June 4 2024. The author of the bridge claims [here](https://github.com/matrix-org/matrix-appservice-slack/issues/789#issuecomment-2172947787) that he plans to support the modern Slack application and until then \"the best (and only) option for new installations is to use the webhook bridging\"."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:18
-msgid "The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:20
-msgid "See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you."
-msgstr ""
-
 #: ../../../docs/configuring-playbook-bridge-appservice-slack.md:22
-msgid "Prerequisites"
+msgid "Setting up Appservice Slack bridging (optional, removed)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-appservice-slack.md:24
-msgid "Create a Classic Slack App"
+msgid "🪦 The playbook used to be able to install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack), but no longer includes this component, as it had been unavailable for new installation since 2024, and was finally abandoned because the public Matrix.org Slack bridge has been decommissioned on January 14th, 2026."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-appservice-slack.md:26
-msgid "First, you need to create a Classic Slack App [here](https://api.slack.com/apps?new_classic_app=1)."
+msgid "**Note**: Bridging to [Slack](https://slack.com) can also happen via the [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridge supported by the playbook."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-appservice-slack.md:28
-msgid "Name the app \"matrixbot\" (or anything else you'll remember). Select the team/workspace this app will belong to. Click on bot users and add a new bot user. We will use this account to bridge the the rooms."
+msgid "Uninstalling the component manually"
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-appservice-slack.md:30
-msgid "Then, click on Event Subscriptions and enable them and use the request url: `https://matrix.example.com/appservice-slack`."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:32
-msgid "Add the following events as `Bot User Events` and save:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:34
-msgid "team_domain_change"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:35
-msgid "message.channels"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:36
-msgid "message.groups (if you want to bridge private channels)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:37
-msgid "reaction_added"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:38
-msgid "reaction_removed"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:40
-msgid "Next, click on \"OAuth & Permissions\" and add the following scopes:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:42
-msgid "chat:write:bot"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:43
-msgid "users:read"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:44
-msgid "reactions:write"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:45
-msgid "files:write:user (if you want to bridge files)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:47
-msgid "**Note**: In order to make Slack files visible to Matrix users, this bridge will make Slack files visible to anyone with the url (including files in private channels). This is different than the current behavior in Slack, which only allows authenticated access to media posted in private channels. See MSC701 for details."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:49
-msgid "Click on \"Install App\" and \"Install App to Workspace\". Note the access tokens shown. You will need the Bot User OAuth Access Token and if you want to bridge files, the OAuth Access Token whenever you link a room."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:51
-msgid "Create an administration control room on Matrix"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:53
-msgid "Create a new Matrix room to act as the administration control room."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:55
-msgid "Note its internal room ID. This can be done in Element Web by sending a message, opening the options for that message and choosing \"view source\". The room ID will be displayed near the top."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:57
-msgid "Adjusting the playbook configuration"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:59
-msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:75
-msgid "Extending the configuration"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:77
-msgid "There are some additional things you may wish to configure about the bridge."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:79
-msgid "Take a look at:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:81
-msgid "`roles/custom/matrix-bridge-appservice-slack/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:82
-msgid "`roles/custom/matrix-bridge-appservice-slack/templates/config.yaml.j2` for the bridge's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_appservice_slack_configuration_extension_yaml` variable"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:84
-msgid "For example, to change the bot's username from `slackbot`, add the following configuration to your `vars.yml` file. Replace `examplebot` with your own."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:91
-msgid "Installing"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:93
-msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:100
-msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:102
-msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:104
-msgid "Usage"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:106
-msgid "To use the bridge, you need to send `/invite @slackbot:example.com` to invite the bridge bot user into the admin room."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:108
-msgid "If Team Sync is not enabled, for each channel you would like to bridge, perform the following steps:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:110
-msgid "Create a Matrix room in the usual manner for your client. Take a note of its Matrix room ID — it will look something like `!qporfwt:example.com`."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:111
-msgid "Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @matrixbot` for Slack and `/invite @slackbot:example.com` for Matrix."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:112
-msgid "Determine the \"channel ID\" that Slack uses to identify the channel. You can see it when you open a given Slack channel in a browser. The URL reads like this: `https://app.slack.com/client/XXX/<the channel ID>/details/`."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:113
-msgid "Issue a link command in the administration control room with these collected values as arguments:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:115
-msgid "with file bridging:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:121
-msgid "without file bridging:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:127
-msgid "These arguments can be shortened to single-letter forms:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:133
-msgid "Unlinking"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:135
-msgid "Channels can be unlinked again by sending this:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:141
-msgid "Unlinking doesn't only disconnect the bridge, but also makes the slackbot leave the bridged Matrix room. So in case you want to re-link later, don't forget to re-invite the slackbot into this room again."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:143
-msgid "Troubleshooting"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:145
-msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-appservice-slack`."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:147
-msgid "Linking: \"Room is now pending-name\""
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:149
-msgid "This typically means that you haven't used the correct Slack channel ID. Unlink the room and recheck 'Determine the \"channel ID\"' from above."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:151
-msgid "Messages work from Matrix to Slack, but not the other way around"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:153
-msgid "Check the logs, and if you find the message like below, unlink your room, reinvite the bot and re-link it again."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:155
-msgid "`WARN SlackEventHandler Ignoring message from unrecognised Slack channel ID : %s (%s) <the channel ID> <some other ID>`"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-appservice-slack.md:157
-msgid "This may particularly hit you, if you tried to unsuccessfully link your room multiple times without unlinking it after each failed attempt."
+msgid "If you still have matrix-appservice-slack installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -28,130 +28,146 @@ msgstr ""
 msgid "**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [matrix-appservice-discord](configuring-playbook-bridge-appservice-discord.md) bridge supported by the playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:18
-msgid "For using as a Bot we recommend the [Appservice Discord](configuring-playbook-bridge-appservice-discord.md), because it supports plumbing."
-msgstr ""
-
 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:19
-msgid "For personal use with a discord account we recommend the `mautrix-discord` bridge (the one being discussed here), because it is the most fully-featured and stable of the 3 Discord bridges supported by the playbook."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:21
 msgid "The playbook can install and configure [mautrix-discord](https://github.com/mautrix/discord) for you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:23
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:21
 msgid "See the project's [documentation](https://docs.mau.fi/bridges/go/discord/index.html) to learn what it does and why it might be useful to you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:25
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:23
 msgid "Prerequisites"
 msgstr ""

+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:25
+msgid "There are 3 ways to login to discord using this bridge, either by [scanning a QR code](https://docs.mau.fi/bridges/go/discord/authentication.html#qr-login) using the Discord mobile app, by using a [Discord token](https://docs.mau.fi/bridges/go/discord/authentication.html#token-login), **or** by using a [Discord bot token](https://docs.mau.fi/bridges/go/discord/authentication.html#bot-token-login)."
+msgstr ""
+
 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:27
-msgid "There are 2 ways to login to discord using this bridge, either by [scanning a QR code](#method-1-login-using-qr-code-recommended) using the Discord mobile app **or** by using a [Discord token](#method-2-login-using-discord-token-not-recommended)."
+msgid "⚠️ QR code login is considered a self-bot and is forbidden by Discord. It can result in an account termination. See the [Discord policy](https://support.discord.com/hc/en-us/articles/115002192352-Automated-User-Accounts-Self-Bots)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:29
-msgid "If this is a dealbreaker for you, consider using [matrix-appservice-discord](configuring-playbook-bridge-appservice-discord.md). This comes with its own complexity and limitations, however, so we recommend that you proceed with this one if possible."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:31
 msgid "Enable Appservice Double Puppet or Shared Secret Auth (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:33
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:31
 msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) or [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:35
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:33
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:37
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:35
 msgid "**Note**: double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:39
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:37
 msgid "Adjusting the playbook configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:41
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:39
 msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:47
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:45
 msgid "Extending the configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:49
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:47
 msgid "There are some additional things you may wish to configure about the bridge."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:52
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:50
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:54
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:52
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:56
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:54
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:63
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:61
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:65
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:63
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:67
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:65
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:69
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:67
 msgid "To use the bridge, you need to start a chat with `@discordbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:71
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:69
 msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/discord/authentication.html)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:73
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:71
 msgid "After logging in, the bridge will create portal rooms for some recent direct messages."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:75
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:73
 msgid "Bridge guilds"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:77
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:75
 msgid "If you'd like to bridge guilds, send `guilds status` to see the list of guilds, then send `guilds bridge GUILD_ID_HERE` for each guild that you'd like bridged. Make sure to replace `GUILD_ID_HERE` with the guild's ID."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:79
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:77
 msgid "After bridging, spaces will be created automatically, and rooms will be created if necessary when messages are received. You can also pass `--entire` to the bridge command to immediately create all rooms."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:81
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:79
 msgid "If you want to manually bridge channels, invite the bot to the room you want to bridge, and run `!discord bridge CHANNEL_ID_HERE` to bridge the room. Make sure to replace `CHANNEL_ID_HERE` with the channel's ID."
 msgstr ""

+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:81
+msgid "Enable relay"
+msgstr ""
+
 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:83
-msgid "Troubleshooting"
+msgid "The bridge supports using Discord's webhook feature to relay messages from Matrix users who haven't logged into the bridge."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:85
-msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-discord`."
+msgid "In a room that has already been bridged, run `!discord set-relay --create`. The bridge will then create a webhook in the bridged discord channel and begin relaying messages. If the discord user does not have access to manage webhooks, run `!discord set-relay --url <url>` with the url of an already created webhook. (See Discords [Intro to webhooks](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks))"
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:87
-msgid "Increase logging verbosity"
+msgid "More information on relaying is available on the [official documentation](https://docs.mau.fi/bridges/go/discord/relay.html)."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:89
+msgid "Troubleshooting"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:91
+msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-discord`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:93
+msgid "Increase logging verbosity"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:95
 msgid "The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
 msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:102
+msgid "Command requires room admin rights when user is creator"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-mautrix-discord.md:104
+msgid "[MSC4289](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/4289-privilege-creators.md), introduced in [room version 12](https://spec.matrix.org/unstable/rooms/v12/), gives creators an infinitley high powerlevel. At the time of implementation, mautrix-discord and similar applications may not identify creators as or above admins. Either a separate admin user will need to manage the bridge or the room version should be less than version 12."
+msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -25,117 +25,105 @@ msgid "<sup>Refer the common guide for configuring mautrix bridges: [Setting up
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:14
-msgid "**Note**: bridging to [Slack](https://slack.com/) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:15
-msgid "For using as a Bot we recommend the [Appservice Slack](configuring-playbook-bridge-appservice-slack.md), because it supports plumbing. Note that it is not available for new installation unless you have already created a classic Slack application, because the creation of classic Slack applications, which this bridge makes use of, has been discontinued."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:16
-msgid "For personal use with a slack account we recommend the `mautrix-slack` bridge (the one being discussed here), because it is the most fully-featured and stable of the 3 Slack bridges supported by the playbook."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:18
 msgid "The playbook can install and configure [mautrix-slack](https://github.com/mautrix/slack) for you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:20
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:16
 msgid "See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:22
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:18
 msgid "See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:24
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:20
 msgid "Prerequisites"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:26
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:22
 msgid "For using this bridge, you would need to authenticate by **providing your username and password** (legacy) or by using a **token login**. See more information in the [docs](https://docs.mau.fi/bridges/go/slack/authentication.html)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:28
-msgid "Note that neither of these methods are officially supported by Slack. [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) uses a Slack bot account which is the only officially supported method for bridging a Slack channel."
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:24
+msgid "Note that neither of these methods are officially supported by Slack."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:30
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:26
 msgid "Enable Appservice Double Puppet (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:32
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:28
 msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:34
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:30
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:36
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:32
 msgid "Adjusting the playbook configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:38
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:34
 msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:44
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:40
 msgid "Extending the configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:46
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:42
 msgid "There are some additional things you may wish to configure about the bridge."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:48
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:44
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:50
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:46
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:52
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:48
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:59
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:55
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:61
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:57
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:63
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:59
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:65
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:61
 msgid "To use the bridge, you need to start a chat with `@slackbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:67
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:63
 msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/slack/authentication.html)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:69
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:65
 msgid "If you authenticated using a token, the recent chats will be bridged automatically (depending on the `conversation_count` setting). Otherwise (i.e. logging with the Discord application), the chats the bot is in will be bridged automatically."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:71
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:67
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:73
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:69
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-slack`."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:75
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:71
 msgid "Increase logging verbosity"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:77
+#: ../../../docs/configuring-playbook-bridge-mautrix-slack.md:73
 msgid "The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,7 +29,7 @@ msgid "The playbook can install and configure [mautrix-telegram](https://github.
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:20
-msgid "See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/index.html) to learn what it does and why it might be useful to you."
+msgid "See the project's [documentation](https://docs.mau.fi/bridges/go/telegram/index.html) to learn what it does and why it might be useful to you."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:22
@@ -45,11 +45,11 @@ msgid "To use the bridge, you'd need to obtain an API key from [https://my.teleg
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:28
-msgid "Enable Appservice Double Puppet or Shared Secret Auth (optional)"
+msgid "Enable Appservice Double Puppet (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:30
-msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) or [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook."
+msgid "If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook."
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:32
@@ -57,113 +57,85 @@ msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-
 msgstr ""

 #: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:34
-msgid "**Notes**:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:36
-msgid "Double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:38
-msgid "If you decided to enable Double Puppeting manually, send `login-matrix` to the bot in order to receive an instruction about how to send an access token to it."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:40
 msgid "Adjusting the playbook configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:42
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:36
 msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `YOUR_TELEGRAM_APP_ID` and `YOUR_TELEGRAM_API_HASH`."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:50
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:44
 msgid "Relaying"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:52
-msgid "Enable relay-bot (optional)"
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:46
+msgid "This bridge supports the common [mautrix bridge relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional). Once enabled, any authenticated user can be turned into a relaybot for a chat by sending `!tg set-relay` in that chat."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:54
-msgid "If you want to use the relay-bot feature ([relay bot documentation](https://docs.mau.fi/bridges/python/telegram/relay-bot.html)), which allows anonymous user to chat with telegram users, add the following configuration to your `vars.yml` file:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:64
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:48
 msgid "Configure a user as an administrator of the bridge (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:66
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:50
 msgid "You might also want to give permissions to a user to administrate the bot. See [this section](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional) on the common guide for details about it."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:68
-msgid "More details about permissions in this example: https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml#L410"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:70
-msgid "Use the bridge for direct chats only (optional)"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:72
-msgid "If you want to exclude all groups from syncing and use the Telegram-Bridge only for direct chats, add the following configuration to your `vars.yml` file:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:78
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:52
 msgid "Extending the configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:80
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:54
 msgid "There are some additional things you may wish to configure about the bridge."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:83
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:56
 msgid "See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:85
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:58
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:87
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:60
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:94
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:67
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:96
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:69
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:98
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:71
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:100
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:73
 msgid "To use the bridge, you need to start a chat with `@telegrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:102
-msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/telegram/authentication.html)."
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:75
+msgid "You can then follow instructions on the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/go/telegram/authentication.html)."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:104
-msgid "After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them. Note that the bridge won't automatically create rooms for private chats."
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:77
+msgid "After logging in, the bridge will create portal rooms for all of your Telegram groups and invite you to them."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:106
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:79
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:108
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:81
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-telegram`."
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:110
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:83
 msgid "Increase logging verbosity"
 msgstr ""

-#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:112
-msgid "The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
+#: ../../../docs/configuring-playbook-bridge-mautrix-telegram.md:85
+msgid "The default logging level for this component is `warn`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
 msgstr ""
@@ -0,0 +1,133 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
+# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: matrix-docker-ansible-deploy \n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:8
+msgid "Setting up a Matrix <-> Meshtastic bridge (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:10
+msgid "The playbook can install and configure [meshtastic-matrix-relay](https://github.com/jeremiah-k/meshtastic-matrix-relay) (sometimes referred to as `mmrelay`) for you — a bridge between [Matrix](https://matrix.org/) and [Meshtastic](https://meshtastic.org/) mesh networks."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:12
+msgid "See the [project's documentation](https://github.com/jeremiah-k/meshtastic-matrix-relay) to learn what it does and why it might be useful to you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:14
+msgid "Prerequisites"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:16
+msgid "You need a Matrix account for the bot. You can either [register the bot account manually](registering-users.md) or let the playbook create it when running `ansible-playbook … --tags=ensure-matrix-users-created`. Either way, you'll need the account's **password** to configure the bridge — unlike most other bridges in this playbook, `mmrelay` authenticates with a password and creates its own session (optionally with End-to-End Encryption material)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:18
+msgid "You also need access to a Meshtastic device, connected to the server via one of:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:20
+msgid "**TCP**: the device is reachable on the network (e.g. a Meshtastic node running the TCP API),"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:21
+msgid "**Serial**: the device is plugged in via USB and available on the host (e.g. `/dev/ttyUSB0`),"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:22
+msgid "**BLE**: the device is reachable via Bluetooth Low Energy from the host."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:24
+msgid "Adjusting the playbook configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:26
+msgid "To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:56
+msgid "By default, the bot's Matrix ID is `@meshtasticbot:{{ matrix_domain }}`. To change it, adjust `matrix_meshtastic_relay_matrix_bot_user_id`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:58
+msgid "Bluetooth (BLE) connections"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:60
+msgid "When `matrix_meshtastic_relay_connection_type` is `ble`, the container runs with `--network=host` and bind-mounts the host's DBus socket — both are required for Bluetooth pairing/communication. Only use this connection type if you trust the playbook-managed host and are comfortable with these privileges."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:62
+msgid "Serial connections"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:64
+msgid "When `matrix_meshtastic_relay_connection_type` is `serial`, the host device referenced by `matrix_meshtastic_relay_serial_port` is passed through to the container. Make sure that `matrix_user_uid` / `matrix_user_gid` have read/write access to that device (e.g. by adding the matrix user to the `dialout` group, or adjusting udev rules)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:66
+msgid "Extending the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:68
+msgid "There are some additional things you may wish to configure about the bridge."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:70
+msgid "Take a look at:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:72
+msgid "`roles/custom/matrix-bridge-meshtastic-relay/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override individual `matrix_meshtastic_relay_*` variables, or make finer-grained adjustments via `matrix_meshtastic_relay_configuration_extension_yaml`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:74
+msgid "Installing"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:76
+msgid "After configuring the playbook, run the playbook with [playbook tags](playbook-tags.md) as below:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:83
+msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:85
+msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:87
+msgid "Usage"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:89
+msgid "Invite the bot to the Matrix rooms listed in `matrix_meshtastic_relay_matrix_rooms_list` and it will relay between Matrix and the corresponding Meshtastic channel. Messages sent on Meshtastic will appear in Matrix and vice versa."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:91
+msgid "See the [project's wiki](https://github.com/jeremiah-k/meshtastic-matrix-relay/wiki) for details about commands, plugins and advanced usage."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:93
+msgid "Troubleshooting"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-bridge-meshtastic-relay.md:95
+msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-meshtastic-relay`."
+msgstr ""
@@ -0,0 +1,113 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
+# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: matrix-docker-ansible-deploy \n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../../../docs/configuring-playbook-client-sable.md:9
+msgid "Setting up Sable (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:11
+msgid "The playbook can install and configure the [Sable](https://github.com/7w1/sable) Matrix web client for you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:13
+msgid "Sable is a web client focusing primarily on simple, elegant and secure interface. It can be installed alongside or instead of [Element Web](./configuring-playbook-client-element-web.md), [Cinny](./configuring-playbook-client-cinny.md) and others."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:15
+msgid "Adjusting DNS records"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:17
+msgid "By default, this playbook installs Sable on the `sable.` subdomain (`sable.example.com`) and requires you to create a CNAME record for `sable`, which targets `matrix.example.com`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:19
+msgid "When setting, replace `example.com` with your own."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:21
+msgid "Adjusting the playbook configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:23
+msgid "To enable Sable, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:29
+msgid "Adjusting the Sable URL (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:31
+msgid "By tweaking the `sable_hostname` variable, you can easily make the service available at a **different hostname** than the default one."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:33
+msgid "Example additional configuration for your `vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:43
+msgid "After changing the domain, **you may need to adjust your DNS** records to point the Sable domain to the Matrix server."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:45
+msgid "**Note**: while there is a `sable_path_prefix` variable for changing the path where Sable is served, overriding it is [not possible](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3701), because Sable requires an application rebuild (with a tweaked build config) to be functional under a custom path. You'd need to serve Sable at a dedicated subdomain."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:47
+msgid "Extending the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:49
+msgid "There are some additional things you may wish to configure about the component."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:51
+msgid "Take a look at:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:53
+msgid "`roles/galaxy/sable/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:54
+msgid "`roles/galaxy/sable/templates/config.json.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `sable_configuration_extension_json` variable"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:56
+msgid "Installing"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:58
+msgid "After configuring the playbook and [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:65
+msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:67
+msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:69
+msgid "Troubleshooting"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-client-sable.md:71
+msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-client-sable`."
+msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -37,21 +37,29 @@ msgid "To uninstall the service, run the command below on the server:"
 msgstr ""

 #: ../../../docs/configuring-playbook-conduwuit.md:32
-msgid "Migrating to Continuwuity"
+msgid "Migrating to Tuwunel"
 msgstr ""

 #: ../../../docs/configuring-playbook-conduwuit.md:34
-msgid "Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details."
+msgid "[Tuwunel](configuring-playbook-tuwunel.md) is a fork of conduwuit, [endorsed as conduwuit's successor](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5200#issuecomment-4396211185) by the former conduwuit maintainer. It reads conduwuit's database directly, so migration is possible. Please refer to [this section](./configuring-playbook-tuwunel.md#migrating-from-conduwuit) for details."
 msgstr ""

 #: ../../../docs/configuring-playbook-conduwuit.md:36
-msgid "Removing data manually"
+msgid "Migrating to Continuwuity"
 msgstr ""

 #: ../../../docs/configuring-playbook-conduwuit.md:38
-msgid "If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:"
+msgid "Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details."
 msgstr ""

-#: ../../../docs/configuring-playbook-conduwuit.md:44
+#: ../../../docs/configuring-playbook-conduwuit.md:40
+msgid "Removing data manually"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-conduwuit.md:42
+msgid "If you are not going to migrate to [Tuwunel](configuring-playbook-tuwunel.md) or [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-conduwuit.md:48
 msgid "[!WARNING] Once you removing the path, there is no going back. Your data on the homeserver (including chat history, rooms, etc.) will be deleted and not be possible to restore them. Please be certain."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -81,81 +81,97 @@ msgid "There are various Ansible variables that control settings in the `continu
 msgstr ""

 #: ../../../docs/configuring-playbook-continuwuity.md:49
+msgid "💡 By default, the playbook wires Continuwuity into a few playbook-wide settings:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:51
+msgid "if `exim_relay_enabled: true` (the default), Continuwuity SMTP is automatically enabled and pointed at the [local Exim relay](configuring-playbook-email.md) service"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:52
+msgid "`matrix_continuwuity_config_well_known_client` is automatically set to the public homeserver URL in the usual SSL-enabled setup, which helps email verification and password-reset links work in delegated-domain setups"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:54
+msgid "You can override any of these defaults in your `vars.yml` file if you want Continuwuity to use a different SMTP server or a different well-known client URL."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:56
 msgid "If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:57
+#: ../../../docs/configuring-playbook-continuwuity.md:64
 msgid "Creating the first user account"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:59
+#: ../../../docs/configuring-playbook-continuwuity.md:66
 msgid "Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:61
-msgid "If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-continuwuity.md:63
-msgid "This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-continuwuity.md:65
-msgid "The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**."
-msgstr ""
-
 #: ../../../docs/configuring-playbook-continuwuity.md:68
-msgid "Configuring bridges / appservices"
+msgid "On first startup, Continuwuity creates a special one-time-use registration token and logs it to the server's console. To access this, you will need to SSH into the server and run the following command:"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:70
-msgid "For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-continuwuity.md:72
-msgid "For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-continuwuity.md:74
-msgid "The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. Your first user account would already have been invited to an admin room with this bot."
+#: ../../../docs/configuring-playbook-continuwuity.md:75
+msgid "Find the token, highlight it, and copy it (ctrl+shift+C). This token should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users."
 msgstr ""

 #: ../../../docs/configuring-playbook-continuwuity.md:77
+msgid "The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:80
+msgid "Configuring bridges / appservices"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:82
+msgid "For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:84
+msgid "For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:86
+msgid "The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. Your first user account would already have been invited to an admin room with this bot."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:89
 msgid "Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`."
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:79
+#: ../../../docs/configuring-playbook-continuwuity.md:91
 msgid "Then, send its content to the existing admin room:"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:103
+#: ../../../docs/configuring-playbook-continuwuity.md:115
 msgid "Migrating from conduwuit"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:105
+#: ../../../docs/configuring-playbook-continuwuity.md:117
 msgid "Since Continuwuity is a drop-in replacement for [conduwuit](configuring-playbook-conduwuit.md), migration is possible."
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:107
+#: ../../../docs/configuring-playbook-continuwuity.md:119
 msgid "Make sure that Continuwuity is properly set up on your `vars.yml` as described above"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:109
+#: ../../../docs/configuring-playbook-continuwuity.md:121
 msgid "Make sure that Conduwuit references are removed from your `vars.yml` file"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:111
+#: ../../../docs/configuring-playbook-continuwuity.md:123
 msgid "Run the installation in a way that installs new services and uninstalls old ones (e.g. `just setup-all`)"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:113
+#: ../../../docs/configuring-playbook-continuwuity.md:125
 msgid "Run the playbook with the `continuwuity-migrate-from-conduwuit` tag (e.g. `just run-tags continuwuity-migrate-from-conduwuit`). This migrates data from `/matrix/conduwuit` to `/matrix/continuwuity`"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:115
+#: ../../../docs/configuring-playbook-continuwuity.md:127
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-continuwuity.md:117
+#: ../../../docs/configuring-playbook-continuwuity.md:129
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-continuwuity`."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,89 +41,109 @@ msgid "📁 `roles/galaxy/exim_relay/docs/configuring-exim-relay.md` locally, if
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:20
-msgid "Firewall settings"
+msgid "Why use exim-relay?"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:22
-msgid "No matter whether you send email directly (the default) or you relay email through another host, you'll probably need to allow outgoing traffic for TCP ports 25/587 (depending on configuration)."
+msgid "**Benefits of using exim-relay** instead of configuring SMTP directly in each service:"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:24
-msgid "Docker automatically opens these ports in the server's firewall, so you likely don't need to do anything. If you use another firewall in front of the server, you may need to adjust it."
+msgid "**Final delivery capability**: Can deliver emails directly if you don't have an SMTP server"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:26
-msgid "Adjusting the playbook configuration"
+msgid "**Centralized configuration**: Configure your upstream SMTP server once in exim-relay, then point all services ([Synapse](configuring-playbook-synapse.md), [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), [Continuwuity](configuring-playbook-continuwuity.md), etc.) there, with no need to configure SMTP in each component"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:28
-msgid "Enable DKIM authentication to improve deliverability (optional)"
+msgid "**Local spooling**: Stores messages locally and retries delivery if your upstream SMTP server is temporarily unavailable"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:30
-msgid "By default, exim-relay attempts to deliver emails directly. This may or may not work, depending on your domain configuration."
+msgid "Firewall settings"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:32
-msgid "To improve email deliverability, you can configure authentication methods such as DKIM (DomainKeys Identified Mail), SPF, and DMARC for your domain. Without setting any of these authentication methods, your outgoing email is most likely to be quarantined as spam at recipient's mail servers."
+msgid "No matter whether you send email directly (the default) or you relay email through another host, you'll probably need to allow outgoing traffic for TCP ports 25/587 (depending on configuration)."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:34
-msgid "For details about configuring DKIM, refer [this section](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay/blob/main/docs/configuring-exim-relay.md#enable-dkim-support-optional) on the role's documentation."
+msgid "Docker automatically opens these ports in the server's firewall, so you likely don't need to do anything. If you use another firewall in front of the server, you may need to adjust it."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:36
-msgid "💡 If you cannot enable DKIM, SPF, or DMARC on your domain for some reason, we recommend relaying email through another SMTP server."
+msgid "Adjusting the playbook configuration"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:38
-msgid "Relaying email through another SMTP server (optional)"
+msgid "Enable DKIM authentication to improve deliverability (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:40
-msgid "**On some cloud providers such as Google Cloud, [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so sending email directly from your server is not possible.** In this case, you will need to relay email through another SMTP server."
+msgid "By default, exim-relay attempts to deliver emails directly. This may or may not work, depending on your domain configuration."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:42
-msgid "For details about configuration, refer [this section](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay/blob/main/docs/configuring-exim-relay.md#relaying-email-through-another-smtp-server) on the role's document."
+msgid "To improve email deliverability, you can configure authentication methods such as DKIM (DomainKeys Identified Mail), SPF, and DMARC for your domain. Without setting any of these authentication methods, your outgoing email is most likely to be quarantined as spam at recipient's mail servers."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:44
-msgid "Disable mail service (optional)"
+msgid "For details about configuring DKIM, refer [this section](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay/blob/main/docs/configuring-exim-relay.md#enable-dkim-support-optional) on the role's documentation."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:46
-msgid "For a low-power server you might probably want to disable exim-relay. To do so, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
+msgid "💡 If you cannot enable DKIM, SPF, or DMARC on your domain for some reason, we recommend relaying email through another SMTP server."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-email.md:48
+msgid "Relaying email through another SMTP server (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-email.md:50
+msgid "**On some cloud providers such as Google Cloud, [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so sending email directly from your server is not possible.** In this case, you will need to relay email through another SMTP server."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:52
-msgid "Note that disabling exim-relay will stop email-notifications and other similar functions from working."
+msgid "For details about configuration, refer [this section](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay/blob/main/docs/configuring-exim-relay.md#relaying-email-through-another-smtp-server) on the role's document."
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:54
-msgid "See [this entry on the FAQ](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server) for other possible optimizations for a low-power server."
+msgid "Disable mail service (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-email.md:56
+msgid "For a low-power server you might probably want to disable exim-relay. To do so, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-email.md:62
+msgid "Note that disabling exim-relay will stop email-notifications and other similar functions from working."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-email.md:64
+msgid "See [this entry on the FAQ](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server) for other possible optimizations for a low-power server."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-email.md:66
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-email.md:58
+#: ../../../docs/configuring-playbook-email.md:68
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-email.md:65
+#: ../../../docs/configuring-playbook-email.md:75
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-email.md:67
+#: ../../../docs/configuring-playbook-email.md:77
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-email.md:69
+#: ../../../docs/configuring-playbook-email.md:79
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-email.md:71
+#: ../../../docs/configuring-playbook-email.md:81
 msgid "See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay/blob/main/docs/configuring-exim-relay.md#troubleshooting) on the role's documentation for details."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,15 +41,15 @@ msgid "If you wish to disable federation, you can do that with an empty list (`[
 msgstr ""

 #: ../../../docs/configuring-playbook-federation.md:27
-msgid "Exposing the room directory over federation"
+msgid "Controlling exposure of the room directory over federation"
 msgstr ""

 #: ../../../docs/configuring-playbook-federation.md:29
-msgid "By default, your server's public rooms directory is not exposed to other servers via federation."
+msgid "By default, your server's public rooms directory is exposed to other servers via federation, so that public rooms hosted on your server can be discovered by users on other servers. This goes against the Synapse upstream default (which is `false`); see the [2023-10-23 changelog entry](../CHANGELOG.md#enabling-allow_public_rooms_over_federation-by-default-for-synapse) for the reasoning behind this choice."
 msgstr ""

 #: ../../../docs/configuring-playbook-federation.md:31
-msgid "To expose it, add the following configuration to your `vars.yml` file:"
+msgid "To prevent your public rooms directory from being exposed over federation (restoring the Synapse upstream default), add the following configuration to your `vars.yml` file:"
 msgstr ""

 #: ../../../docs/configuring-playbook-federation.md:37
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -25,149 +25,153 @@ msgid "The playbook can install and configure the [Jitsi](https://jitsi.org/) vi
 msgstr ""

 #: ../../../docs/configuring-playbook-jitsi.md:21
+msgid "Because Jitsi still requires a TURN server, enabling Jitsi automatically enables coturn (`coturn_enabled: true`) unless you explicitly disable it."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-jitsi.md:24
 msgid "Jitsi is an open source video-conferencing platform. It can not only be integrated with Element clients ([Element Web](configuring-playbook-client-element-web.md)/Desktop, Android and iOS) as a widget, but also be used as standalone web app."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:23
+#: ../../../docs/configuring-playbook-jitsi.md:26
 msgid "💡 If you're into experimental technology, you may also be interested in trying out [Element Call](configuring-playbook-element-call.md) - a native Matrix video conferencing application."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:25
+#: ../../../docs/configuring-playbook-jitsi.md:28
 msgid "The [Ansible role for Jitsi](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi) is developed and maintained by [the MASH (mother-of-all-self-hosting) project](https://github.com/mother-of-all-self-hosting). For details about configuring Jitsi, you can check them via:"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:26
+#: ../../../docs/configuring-playbook-jitsi.md:29
 msgid "🌐 [the role's documentation at the MASH project](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md) online"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:27
+#: ../../../docs/configuring-playbook-jitsi.md:30
 msgid "📁 `roles/galaxy/jitsi/docs/configuring-jitsi.md` locally, if you have [fetched the Ansible roles](installing.md#update-ansible-roles)"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:29
+#: ../../../docs/configuring-playbook-jitsi.md:32
 msgid "Prerequisites"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:31
+#: ../../../docs/configuring-playbook-jitsi.md:34
 msgid "Before proceeding, make sure to check server's requirements recommended by [the official deployment guide](https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-requirements)."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:33
+#: ../../../docs/configuring-playbook-jitsi.md:36
 msgid "You may need to open some ports to your server, if you use another firewall in front of the server. Refer [the role's documentation](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#prerequisites) to check which ones to be configured."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:35
+#: ../../../docs/configuring-playbook-jitsi.md:38
 msgid "Adjusting DNS records"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:37
+#: ../../../docs/configuring-playbook-jitsi.md:40
 msgid "By default, this playbook installs Jitsi on the `jitsi.` subdomain (`jitsi.example.com`) and requires you to create a CNAME record for `jitsi`, which targets `matrix.example.com`."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:39
+#: ../../../docs/configuring-playbook-jitsi.md:42
 msgid "When setting, replace `example.com` with your own."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:41
+#: ../../../docs/configuring-playbook-jitsi.md:44
 msgid "Adjusting the playbook configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:43
+#: ../../../docs/configuring-playbook-jitsi.md:46
 msgid "To enable Jitsi, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:61
+#: ../../../docs/configuring-playbook-jitsi.md:64
 msgid "As the most of the necessary settings for the role have been taken care of by the playbook, you can enable Jitsi on your Matrix server with this minimum configuration."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:63
+#: ../../../docs/configuring-playbook-jitsi.md:66
 msgid "However, **since Jitsi's performance heavily depends on server resource (bandwidth, RAM, and CPU), it is recommended to review settings and optimize them as necessary before deployment.** You can check [here](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#example-configurations) for an example set of configurations to set up a Jitsi instance, focusing on performance. If you will host a large conference, you probably might also want to consider to provision additional JVBs ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)). See [here](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#set-up-additional-jvbs-for-more-video-conferences-optional) for details about setting them up with the playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:65
+#: ../../../docs/configuring-playbook-jitsi.md:68
 msgid "See the role's documentation for details about configuring Jitsi per your preference (such as setting [a custom hostname](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#set-the-hostname) and [the environment variable for running Jitsi in a LAN](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#configure-jvb_advertise_ips-for-running-behind-nat-or-on-a-lan-environment-optional))."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:67
+#: ../../../docs/configuring-playbook-jitsi.md:70
 msgid "Enable authentication and guests mode (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:69
+#: ../../../docs/configuring-playbook-jitsi.md:72
 msgid "By default the Jitsi Meet instance **does not require for anyone to log in, and is open to use without an account**."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:71
+#: ../../../docs/configuring-playbook-jitsi.md:74
 msgid "If you would like to control who is allowed to start meetings on your instance, you'd need to enable Jitsi's authentication and optionally guests mode."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:73
+#: ../../../docs/configuring-playbook-jitsi.md:76
 msgid "See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#configure-jitsi-authentication-and-guests-mode-optional) on the role's documentation for details about how to configure the authentication and guests mode. The recommended authentication method is `internal` as it also works in federated rooms. If you want to enable authentication with Matrix OpenID making use of [Matrix User Verification Service (UVS)](configuring-playbook-user-verification-service.md), see [here](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix) for details about how to set it up."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:75
+#: ../../../docs/configuring-playbook-jitsi.md:78
 msgid "Enable Gravatar (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:77
+#: ../../../docs/configuring-playbook-jitsi.md:80
 msgid "In the default Jisti Meet configuration, `gravatar.com` is enabled as an avatar service."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:79
+#: ../../../docs/configuring-playbook-jitsi.md:82
 msgid "Since the Element clients send the URL of configured Matrix avatars to the Jitsi instance, our configuration has disabled the Gravatar service."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:81
+#: ../../../docs/configuring-playbook-jitsi.md:84
 msgid "To enable the Gravatar service nevertheless, add the following configuration to your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:87
+#: ../../../docs/configuring-playbook-jitsi.md:90
 msgid "[!WARNING] This will result in third party request leaking data to the Gravatar Service (`gravatar.com`, unless configured otherwise). Besides metadata, the Matrix user_id and possibly the room ID (via `referrer` header) will be also sent to the third party."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:90
+#: ../../../docs/configuring-playbook-jitsi.md:93
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:92
+#: ../../../docs/configuring-playbook-jitsi.md:95
 msgid "After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:99
+#: ../../../docs/configuring-playbook-jitsi.md:102
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:101
+#: ../../../docs/configuring-playbook-jitsi.md:104
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:103
+#: ../../../docs/configuring-playbook-jitsi.md:106
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:105
+#: ../../../docs/configuring-playbook-jitsi.md:108
 msgid "You can use the self-hosted Jitsi server in multiple ways:"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:107
+#: ../../../docs/configuring-playbook-jitsi.md:110
 msgid "**by adding a widget to a room via Element Web** (the one configured by the playbook at `https://element.example.com`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:109
+#: ../../../docs/configuring-playbook-jitsi.md:112
 msgid "**directly (without any Matrix integration)**. Just go to `https://jitsi.example.com`, and you can start a videoconference."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:111
+#: ../../../docs/configuring-playbook-jitsi.md:114
 msgid "Note that you'll need to log in to your Jitsi's account to start a conference if you have configured authentication with `internal` auth."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:113
+#: ../../../docs/configuring-playbook-jitsi.md:116
 msgid "Check [the official user guide](https://jitsi.github.io/handbook/docs/category/user-guide) for details about how to use Jitsi."
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:115
+#: ../../../docs/configuring-playbook-jitsi.md:118
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-jitsi.md:117
+#: ../../../docs/configuring-playbook-jitsi.md:120
 msgid "See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#troubleshooting) on the role's documentation for details."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 12:02+0100\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -25,7 +25,7 @@ msgid "The playbook can install and configure [Ketesa](https://github.com/etkecc
 msgstr ""

 #: ../../../docs/configuring-playbook-ketesa.md:18
-msgid "Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support."
+msgid "Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI. It is the evolution of [Awesome-Technologies/synapse-admin](https://github.com/Awesome-Technologies/synapse-admin): what began as a fork has grown into its own independent project with a redesigned interface, comprehensive Synapse and MAS API coverage, and multi-language support. See the [Ketesa v1.0.0 announcement](https://etke.cc/blog/introducing-ketesa/) for a full overview of what's new."
 msgstr ""

 #: ../../../docs/configuring-playbook-ketesa.md:20
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -41,7 +41,7 @@ msgid "🌐 [the role's documentation at the MASH project](https://github.com/mo
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:18
-msgid "📁 `roles/galaxy/livekit-server/docs/configuring-livekit-server.md` locally, if you have [fetched the Ansible roles](installing.md#update-ansible-roles)"
+msgid "📁 `roles/galaxy/livekit_server/docs/configuring-livekit-server.md` locally, if you have [fetched the Ansible roles](installing.md#update-ansible-roles)"
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:20
@@ -69,17 +69,69 @@ msgid "`5350/tcp`: TURN/TCP. Also see the [Limitations](#limitations) section be
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:32
-msgid "💡 The suggestions above are inspired by the upstream [Ports and Firewall](https://docs.livekit.io/home/self-hosting/ports-firewall/) documentation based on how LiveKit is configured in the playbook. If you've using custom configuration for the LiveKit Server role, you may need to adjust the firewall rules accordingly."
+msgid "`30000-30020/udp`: TURN relay range used by LiveKit's embedded TURN server."
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:34
-msgid "Limitations"
+msgid "💡 The suggestions above are inspired by the upstream [Ports and Firewall](https://docs.livekit.io/home/self-hosting/ports-firewall/) documentation based on how LiveKit is configured in the playbook. If you're using custom configuration for the LiveKit Server role, you may need to adjust firewall rules accordingly."
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:36
-msgid "For some reason, LiveKit Server's TURN ports (`3479/udp` and `5350/tcp`) are not reachable over IPv6 regardless of whether you've [enabled IPv6](./configuring-ipv6.md) for your server."
+msgid "TURN TLS handling"
 msgstr ""

 #: ../../../docs/configuring-playbook-livekit-server.md:38
-msgid "It seems like LiveKit Server intentionally only listens on `udp4` and `tcp4` as seen [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L128) and [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L92)."
+msgid "When `matrix_playbook_reverse_proxy_type` is `playbook-managed-traefik` (which is the default for this playbook), TURN over TCP is terminated by Traefik and forwarded to LiveKit with `turn.external_tls = true`. In this playbook default, this mode is enabled automatically when SSL is enabled and TURN is enabled."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:40
+msgid "The playbook installs a dedicated Traefik TCP entrypoint for TURN (`matrix-livekit-turn`) by default and binds it to `tcp/5350`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:41
+msgid "`livekit_server_config_turn_external_tls` is automatically enabled for this setup."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:42
+msgid "Because Traefik handles TLS, LiveKit no longer needs certificate-file paths for TURN in this mode."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:44
+msgid "To opt out and keep TURN TLS termination in LiveKit itself, set:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:50
+msgid "In this playbook, certificate paths are managed automatically via `group_vars/matrix_servers` when certificate dumping is enabled."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:52
+msgid "If your setup uses `other-traefik-container` or [another reverse-proxy](./configuring-playbook-own-webserver.md), behavior is unchanged by default and still relies on certificates being available inside the container as before."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:54
+msgid "Deployments using `other-traefik-container` can opt into the same Traefik-terminated mode there, by setting:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:62
+msgid "and configuring their own Traefik TCP entrypoint dedicated to LiveKit TURN traffic."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:64
+msgid "Limitations"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:66
+msgid "LiveKit Server's TURN listener behavior depends on where TLS is terminated:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:68
+msgid "Direct LiveKit TURN listeners (`livekit_server_config_turn_external_tls: false`) still use IPv4-only sockets for `3479/udp` and `5350/tcp`, so IPv6 connectivity to these endpoints is not possible."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:69
+msgid "With [TURN TLS handling](#turn-tls-handling) (`livekit_server_config_turn_external_tls: true`), the playbook's dedicated `matrix-livekit-turn` TCP entrypoint can still listen on both IPv4 and IPv6. Traefik then forwards TURN/TCP to LiveKit."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-livekit-server.md:71
+msgid "It appears that LiveKit Server intentionally only listens on `udp4` and `tcp4` in direct mode, as seen [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L128) and [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L92)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -45,11 +45,11 @@ msgid "Various experimental features for the Synapse homeserver which Element Ca
 msgstr ""

 #: ../../../docs/configuring-playbook-matrix-rtc.md:20
-msgid "A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))"
+msgid "A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack))"
 msgstr ""

 #: ../../../docs/configuring-playbook-matrix-rtc.md:21
-msgid "The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))"
+msgid "The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack))"
 msgstr ""

 #: ../../../docs/configuring-playbook-matrix-rtc.md:22
@@ -77,29 +77,41 @@ msgid "In addition to the HTTP/HTTPS ports (which you've already exposed as per
 msgstr ""

 #: ../../../docs/configuring-playbook-matrix-rtc.md:41
-msgid "Installing"
+msgid "Fronting the integrated reverse-proxy with another reverse-proxy"
 msgstr ""

 #: ../../../docs/configuring-playbook-matrix-rtc.md:43
+msgid "If you're [fronting the integrated reverse-proxy webserver with another reverse-proxy](configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) (e.g. nginx), it needs to forward WebSocket traffic for [LiveKit Server](configuring-playbook-livekit-server.md) at the `/livekit-server/` path. Without that, Matrix RTC calls will not work."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-matrix-rtc.md:45
+msgid "See [`examples/reverse-proxies/nginx/matrix.conf`](../examples/reverse-proxies/nginx/matrix.conf) for an nginx example."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-matrix-rtc.md:47
+msgid "Installing"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-matrix-rtc.md:49
 msgid "After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-matrix-rtc.md:50
+#: ../../../docs/configuring-playbook-matrix-rtc.md:56
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-matrix-rtc.md:52
+#: ../../../docs/configuring-playbook-matrix-rtc.md:58
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-matrix-rtc.md:54
+#: ../../../docs/configuring-playbook-matrix-rtc.md:60
 msgid "Usage"
 msgstr ""

-#: ../../../docs/configuring-playbook-matrix-rtc.md:56
+#: ../../../docs/configuring-playbook-matrix-rtc.md:62
 msgid "Once installed, Matrix clients which support Element Call (like [Element Web](configuring-playbook-client-element-web.md) and Element X on mobile (iOS and Android)) will automatically use the Matrix RTC stack."
 msgstr ""

-#: ../../../docs/configuring-playbook-matrix-rtc.md:58
+#: ../../../docs/configuring-playbook-matrix-rtc.md:64
 msgid "These clients typically embed the Element Call frontend UI within them, so installing [Element Call](configuring-playbook-element-call.md) is only necessary if you'd like to use it standalone - directly via a browser."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -143,7 +143,7 @@ msgid "[Prometheus role](https://github.com/mother-of-all-self-hosting/ansible-r
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:109
-msgid "`roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
+msgid "`roles/galaxy/prometheus_nginxlog_exporter/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:111
@@ -291,7 +291,7 @@ msgid "Set this to `true` to enable the node (general system stats) exporter (lo
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "`prometheus_node_exporter_container_labels_traefik_enabled`"
+msgid "`prometheus_node_exporter_container_labels_metrics_enabled`"
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
@@ -307,7 +307,7 @@ msgid "Set this to `true` to enable the [Postgres exporter](#enable-metrics-and-
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "`prometheus_postgres_exporter_container_labels_traefik_enabled`"
+msgid "`prometheus_postgres_exporter_container_labels_metrics_enabled`"
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
@@ -315,19 +315,19 @@ msgid "Set this to `true` to expose the [Postgres exporter](#enable-metrics-and-
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "`matrix_prometheus_nginxlog_exporter_enabled`"
+msgid "`prometheus_nginxlog_exporter_enabled`"
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "Set this to `true` to enable the [nginx Log exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) (locally, on the container network)."
+msgid "Set this to `true` to enable the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) (locally, on the container network)."
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "`matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled`"
+msgid "`prometheus_nginxlog_exporter_container_labels_metrics_enabled`"
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:0
-msgid "Set this to `true` to expose the [nginx Log exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`."
+msgid "Set this to `true` to expose the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`."
 msgstr ""

 #: ../../../docs/configuring-playbook-prometheus-grafana.md:187
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,54 +16,18 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"

-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:9
-msgid "Setting up Synapse Auto Invite Accept (optional)"
+#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:18
+msgid "Setting up Synapse Auto Invite Accept (optional, removed)"
 msgstr ""

-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:11
-msgid "The playbook can install and configure [synapse-auto-invite-accept](https://github.com/matrix-org/synapse-auto-accept-invite) for you."
+#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:20
+msgid "🪦 The playbook used to be able to install and configure [synapse-auto-invite-accept](https://github.com/matrix-org/synapse-auto-accept-invite), but no longer includes this component, as the same functionality [has been integrated](https://github.com/element-hq/synapse/pull/17147) to Synapse since [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.109.0)."
 msgstr ""

-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:13
-msgid "In short, it automatically accepts room invites. You can specify that only 1:1 room invites are auto-accepted. Defaults to false if not specified."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:15
-msgid "See the project's [documentation](https://github.com/matrix-org/synapse-auto-accept-invite/blob/main/README.md) to learn what it does and why it might be useful to you."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:17
-msgid "**Note**: Synapse [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.109.0), the same feature [has been merged](https://github.com/element-hq/synapse/pull/17147) into Synapse (see the [Native alternative](#native-alternative) section below). You'd better use the native feature, instead of the [synapse-auto-invite-accept](https://github.com/matrix-org/synapse-auto-accept-invite) 3rd party module."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:19
-msgid "Adjusting the playbook configuration"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:21
-msgid "If you decide that you'd like to let this playbook install the [synapse-auto-invite-accept](https://github.com/matrix-org/synapse-auto-accept-invite module for you, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:29
-msgid "Synapse worker deployments"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:31
-msgid "In a [workerized Synapse deployment](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/c9a842147e09647c355799ca024d65a5de66b099/docs/configuring-playbook-synapse.md#load-balancing-with-workers) it is possible to run this module on a worker to reduce the load on the main process (Default is `null`). For example, add this to your configuration:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:37
-msgid "There might be an [issue with federation](https://github.com/matrix-org/synapse-auto-accept-invite/issues/18)."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:39
+#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:22
 msgid "Native alternative"
 msgstr ""

-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:41
-msgid "Since Synapse [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.109.0), the functionality provided by the [synapse-auto-invite-accept](https://github.com/matrix-org/synapse-auto-accept-invite) 3rd party module [has been made](https://github.com/element-hq/synapse/pull/17147) part of Synapse."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:43
+#: ../../../docs/configuring-playbook-synapse-auto-accept-invite.md:24
 msgid "Here's example configuration for using the **native** Synapse feature:"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -293,9 +293,13 @@ msgid "… triggered by the `matrix-synapse-s3-storage-provider-migrate.timer` t
 msgstr ""

 #: ../../../docs/configuring-playbook-synapse-s3-storage-provider.md:180
-msgid "So… you don't need to perform any maintenance yourself."
+msgid "The same `migrate` script also prunes empty directories in the local media repository (`remote_content` and `remote_thumbnail`) after upload/delete operations."
 msgstr ""

 #: ../../../docs/configuring-playbook-synapse-s3-storage-provider.md:182
+msgid "So… you don't need to perform any maintenance yourself."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-synapse-s3-storage-provider.md:184
 msgid "The schedule is defined in the format of systemd timer calendar. To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -45,142 +45,158 @@ msgid "Enable Traefik Dashboard"
 msgstr ""

 #: ../../../docs/configuring-playbook-traefik.md:28
-msgid "To enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.example.com/dashboard/` (note the trailing `/`), add the following configuration to your `vars.yml` file:"
+msgid "To enable the Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.example.com/dashboard/` (note the trailing `/`), add the following configuration to your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:38
-msgid "[!WARNING] Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-traefik.md:41
-msgid "Extending the configuration"
+#: ../../../docs/configuring-playbook-traefik.md:37
+msgid "Choose a username and password for the dashboard, then generate the corresponding `htpasswd` entry with:"
 msgstr ""

 #: ../../../docs/configuring-playbook-traefik.md:43
-msgid "There are some additional things you may wish to configure about the component."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-traefik.md:45
-msgid "Take a look at:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-traefik.md:47
-msgid "[Traefik role](https://github.com/mother-of-all-self-hosting/ansible-role-traefik)'s [`defaults/main.yml`](https://github.com/mother-of-all-self-hosting/ansible-role-traefik/blob/main/defaults/main.yml) for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `traefik_configuration_extension_yaml` variable"
+msgid "The command outputs the exact value to use for `traefik_dashboard_basicauth_htpasswd` — your username, a colon, and a hash of your chosen password:"
 msgstr ""

 #: ../../../docs/configuring-playbook-traefik.md:49
-msgid "For example, to enable and secure the Dashboard, you can add the following configuration to your `vars.yml` file:"
+msgid "Copy the full output line into `traefik_dashboard_basicauth_htpasswd`. After deploying, log in to the dashboard using the same username and password that you chose earlier."
 msgstr ""

 #: ../../../docs/configuring-playbook-traefik.md:51
+msgid "The role also supports the legacy `traefik_dashboard_basicauth_user` / `traefik_dashboard_basicauth_password` convenience variables, but that path depends on the `passlib` Python library on the Ansible controller, may be affected by passlib/bcrypt compatibility issues, and generates non-deterministic hashes which can lead to unnecessary changes."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:53
+msgid "[!WARNING] Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:56
+msgid "Extending the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:58
+msgid "There are some additional things you may wish to configure about the component."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:60
+msgid "Take a look at:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:62
+msgid "[Traefik role](https://github.com/mother-of-all-self-hosting/ansible-role-traefik)'s [`defaults/main.yml`](https://github.com/mother-of-all-self-hosting/ansible-role-traefik/blob/main/defaults/main.yml) for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `traefik_configuration_extension_yaml` variable"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:64
+msgid "For example, to enable and secure the Dashboard, you can add the following configuration to your `vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-traefik.md:66
 msgid "**Note**: this is a contrived example as you can enable and secure the Dashboard using the dedicated variables. See above for details."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:69
+#: ../../../docs/configuring-playbook-traefik.md:84
 msgid "Reverse-proxying another service behind Traefik"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:71
+#: ../../../docs/configuring-playbook-traefik.md:86
 msgid "The preferred way to reverse-proxy additional services behind Traefik would be to start the service as another container, configure the container with the corresponding Traefik [container labels](https://docs.docker.com/config/labels-custom-metadata/) (see [Traefik & Docker](https://doc.traefik.io/traefik/routing/providers/docker/)), and connect the service to the `traefik` network. Some services are also already available via the compatible [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook), but take a look at the minor [interoperability adjustments](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md)."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:73
+#: ../../../docs/configuring-playbook-traefik.md:88
 msgid "However, if your service does not run on a container or runs on another machine, the following configuration might be what you are looking for."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:75
+#: ../../../docs/configuring-playbook-traefik.md:90
 msgid "Reverse-proxying a remote HTTP/HTTPS service behind Traefik"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:77
+#: ../../../docs/configuring-playbook-traefik.md:92
 msgid "If you want to host another webserver would be reachable via `my-fancy-website.example.net` from the internet and via `https://<internal webserver IP address>:<internal port>` from inside your network, you can make the playbook's integrated Traefik instance reverse-proxy the traffic to the correct host."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:79
+#: ../../../docs/configuring-playbook-traefik.md:94
 msgid "Prerequisites: DNS and routing for the domain `my-fancy-website.example.net` need to be set up correctly. In this case, you'd be pointing the domain name to your Matrix server — `my-fancy-website.example.net` would be a CNAME going to `matrix.example.com`."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:81
+#: ../../../docs/configuring-playbook-traefik.md:96
 msgid "First, we have to adjust the static configuration of Traefik, so that we can add additional configuration files:"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:95
+#: ../../../docs/configuring-playbook-traefik.md:110
 msgid "If you are using a self-signed certificate on your webserver, you can tell Traefik to trust your own backend servers by adding more configuration to the static configuration file. If you do so, bear in mind the security implications of disabling the certificate validity checks towards your back end."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:109
+#: ../../../docs/configuring-playbook-traefik.md:124
 msgid "Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:128
-#: ../../../docs/configuring-playbook-traefik.md:151
+#: ../../../docs/configuring-playbook-traefik.md:143
+#: ../../../docs/configuring-playbook-traefik.md:166
 msgid "Changing the `url` to one with an `http://` prefix would allow to connect to the server via HTTP."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:130
+#: ../../../docs/configuring-playbook-traefik.md:145
 msgid "Reverse-proxying another service behind Traefik without terminating SSL"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:132
+#: ../../../docs/configuring-playbook-traefik.md:147
 msgid "If you do not want to terminate SSL at the Traefik instance (for example, because you're already terminating SSL at other webserver), you need to adjust the static configuration in the same way as in the previous chapter in order to be able to add our own dynamic configuration files. Afterwards, you can add the following configuration to your `vars.yml` configuration file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:153
+#: ../../../docs/configuring-playbook-traefik.md:168
 msgid "With these changes, all TCP traffic will be reverse-proxied to the target system."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:155
+#: ../../../docs/configuring-playbook-traefik.md:170
 msgid "[!WARNING] This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:158
+#: ../../../docs/configuring-playbook-traefik.md:173
 msgid "Traefik behind a `proxy_protocol` reverse-proxy"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:160
+#: ../../../docs/configuring-playbook-traefik.md:175
 msgid "If you run a reverse-proxy which speaks `proxy_protocol`, add the following configuration to your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:179
+#: ../../../docs/configuring-playbook-traefik.md:194
 msgid "Other configurations"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:181
+#: ../../../docs/configuring-playbook-traefik.md:196
 msgid "Adjusting SSL certificate retrieval"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:183
+#: ../../../docs/configuring-playbook-traefik.md:198
 msgid "See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) documentation page."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:185
+#: ../../../docs/configuring-playbook-traefik.md:200
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:187
+#: ../../../docs/configuring-playbook-traefik.md:202
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:194
+#: ../../../docs/configuring-playbook-traefik.md:209
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:196
+#: ../../../docs/configuring-playbook-traefik.md:211
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:198
+#: ../../../docs/configuring-playbook-traefik.md:213
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:200
+#: ../../../docs/configuring-playbook-traefik.md:215
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-traefik`."
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:202
+#: ../../../docs/configuring-playbook-traefik.md:217
 msgid "Increase logging verbosity"
 msgstr ""

-#: ../../../docs/configuring-playbook-traefik.md:204
+#: ../../../docs/configuring-playbook-traefik.md:219
 msgid "The default logging level for this component is `INFO`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -21,173 +21,213 @@ msgid "Configuring a TURN server (optional, advanced)"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:16
-msgid "By default, this playbook installs and configures the [coturn](https://github.com/coturn/coturn) as a TURN server, through which clients can make audio/video calls even from [NAT](https://en.wikipedia.org/wiki/Network_address_translation)-ed networks. It also configures the Synapse chat server by default, so that it points to the coturn TURN server installed by the playbook. If that's okay, you can skip this document."
+msgid "By default, the [coturn](https://github.com/coturn/coturn) TURN server component is enabled automatically only when [Jitsi](configuring-playbook-jitsi.md) is enabled. If you're not using Jitsi, coturn is not enabled by default."
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:18
-msgid "If you'd like to stop the playbook installing the server, see the section [below](#disabling-coturn) to check the configuration for disabling it."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-turn.md:20
-msgid "Adjusting the playbook configuration"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-turn.md:22
-msgid "Define public IP manually (optional)"
+msgid "If you explicitly need coturn while not using Jitsi, enable it with:"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:24
-msgid "In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring coturn."
+msgid "and configure its IP-related settings in the section below."
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:26
-msgid "If you'd rather use a local IP for `ansible_host`, add the following configuration to your `vars.yml` file. Make sure to replace `YOUR_PUBLIC_IP` with the pubic IP used by the server."
+msgid "If you'd like coturn to stay disabled even when Jitsi is enabled, or if you prefer to use an external TURN provider, see [disabling coturn](#disabling-coturn) section below."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:28
+msgid "When Coturn is not enabled, homeservers (like Synapse) would not point to TURN servers and *legacy* audio/video call functionality may fail. If you're using [Matrix RTC](configuring-playbook-matrix-rtc.md) (for [Element Call](configuring-playbook-element-call.md)), you likely don't have a need to enable coturn."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:30
+msgid "Adjusting firewall rules"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:32
-msgid "If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable."
+msgid "To ensure Coturn functions correctly, the following firewall rules and port forwarding settings are required when coturn is enabled:"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:34
-msgid "[!NOTE] You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview."
+msgid "`3478/tcp`: STUN/TURN over TCP"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:35
+msgid "`3478/udp`: STUN/TURN over UDP"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:36
+msgid "`5349/tcp`: TURN over TCP"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:37
-msgid "If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:"
+msgid "`5349/udp`: TURN over UDP"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:38
+msgid "`49152-49172/udp`: TURN/UDP relay range"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:40
+msgid "If LiveKit's embedded TURN is enabled at the same time (for MatrixRTC/Element Call), keep the Coturn relay range distinct from LiveKit's relay range (`livekit_server_config_turn_relay_range_start`/`livekit_server_config_turn_relay_range_end`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:42
+msgid "💡 Docker configures the server's internal firewall for you. In most cases, you don't need to do anything special on the host itself."
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:44
-msgid "Change the authentication mechanism (optional)"
+msgid "Adjusting the playbook configuration"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:46
-msgid "The playbook uses the [`auth-secret` authentication method](https://github.com/coturn/coturn/blob/873cabd6a2e5edd7e9cc5662cac3ffe47fe87a8e/README.turnserver#L186-L199) by default, but you may switch to the [`lt-cred-mech` method](https://github.com/coturn/coturn/blob/873cabd6a2e5edd7e9cc5662cac3ffe47fe87a8e/README.turnserver#L178) which [some report](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191) to be working better."
+msgid "Define public IP manually (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:48
-msgid "To do so, add the following configuration to your `vars.yml` file:"
+msgid "If you enable coturn (either via Jitsi or manually), we recommend that you configure the public IP addresses of your server in the `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:54
-msgid "Regardless of the selected authentication method, the playbook generates secrets automatically and passes them to the homeserver and coturn."
+#: ../../../docs/configuring-playbook-turn.md:55
+msgid "If you'd like to rely on external IP address auto-detection (not recommended unless you need it), avoid configuring this variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:56
-msgid "If [Jitsi](configuring-playbook-jitsi.md) is installed, note that switching to `lt-cred-mech` will disable the integration between Jitsi and your coturn server, as Jitsi seems to support the `auth-secret` authentication method only."
-msgstr ""
-
-#: ../../../docs/configuring-playbook-turn.md:58
-msgid "Customize the Coturn hostname (optional)"
+#: ../../../docs/configuring-playbook-turn.md:57
+msgid "[!NOTE] You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview."
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:60
-msgid "By default, Coturn uses the same hostname as your Matrix homeserver (the value of `matrix_server_fqn_matrix`, which is typically `matrix.example.com`)."
+msgid "Change the authentication mechanism (optional)"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:62
-msgid "If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:"
+msgid "The playbook uses the [`auth-secret` authentication method](https://github.com/coturn/coturn/blob/873cabd6a2e5edd7e9cc5662cac3ffe47fe87a8e/README.turnserver#L186-L199) by default, but you may switch to the [`lt-cred-mech` method](https://github.com/coturn/coturn/blob/873cabd6a2e5edd7e9cc5662cac3ffe47fe87a8e/README.turnserver#L178) which [some report](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191) to be working better."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:68
-msgid "The playbook will automatically:"
-msgstr ""
-
-#: ../../../docs/configuring-playbook-turn.md:69
-msgid "Configure Coturn to use this hostname"
+#: ../../../docs/configuring-playbook-turn.md:64
+msgid "To do so, add the following configuration to your `vars.yml` file:"
 msgstr ""

 #: ../../../docs/configuring-playbook-turn.md:70
+msgid "Regardless of the selected authentication method, the playbook generates secrets automatically and passes them to the homeserver and coturn."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:72
+msgid "If [Jitsi](configuring-playbook-jitsi.md) is installed, note that switching to `lt-cred-mech` will disable the integration between Jitsi and your coturn server, as Jitsi seems to support the `auth-secret` authentication method only."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:74
+msgid "Customize the Coturn hostname (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:76
+msgid "By default, Coturn uses the same hostname as your Matrix homeserver (the value of `matrix_server_fqn_matrix`, which is typically `matrix.example.com`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:78
+msgid "If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:84
+msgid "The playbook will automatically:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:85
+msgid "Configure Coturn to use this hostname"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-turn.md:86
 msgid "Obtain an SSL certificate for the custom domain via Traefik"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:71
+#: ../../../docs/configuring-playbook-turn.md:87
 msgid "Update all TURN URIs to point to the custom domain"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:73
+#: ../../../docs/configuring-playbook-turn.md:89
 msgid "**Note**: Make sure the custom hostname resolves to your server's IP address via DNS before running the playbook."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:75
+#: ../../../docs/configuring-playbook-turn.md:91
 msgid "Use your own external coturn server (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:77
+#: ../../../docs/configuring-playbook-turn.md:93
 msgid "If you'd like to use another TURN server (be it coturn or some other one), add the following configuration to your `vars.yml` file. Make sure to replace `HOSTNAME_OR_IP` with your own."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:91
+#: ../../../docs/configuring-playbook-turn.md:107
 msgid "If you have or want to enable Jitsi, you might want to enable the TURN server there too. If you do not do it, Jitsi will fall back to an upstream service."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:98
+#: ../../../docs/configuring-playbook-turn.md:114
 msgid "You can put multiple host/port combinations if you'd like to."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:100
+#: ../../../docs/configuring-playbook-turn.md:116
 msgid "Edit the reloading schedule (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:102
+#: ../../../docs/configuring-playbook-turn.md:118
 msgid "By default the service is reloaded on 6:30 a.m. every day based on the `coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:104
+#: ../../../docs/configuring-playbook-turn.md:120
 msgid "To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:110
+#: ../../../docs/configuring-playbook-turn.md:126
 msgid "**Note**: the actual job may run with a delay. See `coturn_reload_schedule_randomized_delay_sec` for its default value."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:112
+#: ../../../docs/configuring-playbook-turn.md:128
 msgid "Extending the configuration"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:114
+#: ../../../docs/configuring-playbook-turn.md:130
 msgid "There are some additional things you may wish to configure about the TURN server."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:116
+#: ../../../docs/configuring-playbook-turn.md:132
 msgid "Take a look at:"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:118
+#: ../../../docs/configuring-playbook-turn.md:134
 msgid "`roles/galaxy/coturn/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:120
+#: ../../../docs/configuring-playbook-turn.md:136
 msgid "Disabling coturn"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:122
-msgid "If, for some reason, you'd like for the playbook to not install coturn (or to uninstall it if it was previously installed), add the following configuration to your `vars.yml` file:"
+#: ../../../docs/configuring-playbook-turn.md:138
+msgid "Coturn is only enabled by default when [Jitsi](configuring-playbook-jitsi.md) is enabled. In most instances, you don't need to explicitly disable it."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:128
-msgid "In that case, Synapse would not point to any coturn servers and audio/video call functionality may fail."
+#: ../../../docs/configuring-playbook-turn.md:140
+msgid "To force the playbook to not install Coturn (even when Jitsi is enabled), add the following configuration to your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:130
+#: ../../../docs/configuring-playbook-turn.md:146
 msgid "Installing"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:132
+#: ../../../docs/configuring-playbook-turn.md:148
 msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:139
+#: ../../../docs/configuring-playbook-turn.md:155
 msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:141
+#: ../../../docs/configuring-playbook-turn.md:157
 msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:143
+#: ../../../docs/configuring-playbook-turn.md:159
 msgid "Troubleshooting"
 msgstr ""

-#: ../../../docs/configuring-playbook-turn.md:145
+#: ../../../docs/configuring-playbook-turn.md:161
 msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-coturn`."
 msgstr ""
@@ -0,0 +1,269 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
+# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: matrix-docker-ansible-deploy \n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-05-09 06:50+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../../../docs/configuring-playbook-tuwunel.md:8
+msgid "Configuring Tuwunel (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:10
+msgid "The playbook can install and configure the [Tuwunel](https://matrix-construct.github.io/tuwunel/) Matrix homeserver for you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:12
+msgid "Tuwunel is a featureful homeserver written entirely in Rust, intended as a scalable, low-cost, enterprise-ready alternative to Synapse that fully implements the [Matrix specification](https://spec.matrix.org/latest/) for all but the most niche uses. It is the official successor to [conduwuit](configuring-playbook-conduwuit.md), is now sponsored by the government of Switzerland 🇨🇭 (where it is currently deployed for citizens), and is used by a number of organisations with a vested interest in its continued development. See the project's [documentation](https://matrix-construct.github.io/tuwunel/) for further background."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:14
+msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:16
+msgid "[!WARNING]"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:17
+msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse → Tuwunel). Proceed below only if you're OK with starting over, or you're dealing with a server on a new domain name which hasn't participated in the Matrix federation yet. The one exception is migrating from conduwuit; see [Migrating from conduwuit](#migrating-from-conduwuit)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:18
+msgid "**Homeserver implementations other than Synapse may not be fully functional** with every part of this playbook. Make yourself familiar with the trade-offs before proceeding."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:20
+msgid "Adjusting the playbook configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:22
+msgid "To use Tuwunel, set the following on `inventory/host_vars/matrix.example.com/vars.yml`:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:36
+msgid "The first user account that registers becomes a server admin and is automatically invited to the admin room. See [Creating the first user account](#creating-the-first-user-account) below for the bootstrap procedure."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:38
+msgid "Wiring done for you"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:40
+msgid "When `matrix_homeserver_implementation: tuwunel` is set, the playbook automatically integrates Tuwunel with the rest of your stack:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:42
+msgid "**Federation.** Toggled by `matrix_homeserver_federation_enabled`. The federation virtual host (port 8448 in the default setup) is wired up via Traefik labels."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:43
+msgid "**Well-known.** `matrix_tuwunel_config_well_known_client` is set to your public homeserver URL whenever SSL is enabled. Matrix clients use this for delegated-domain server discovery; identity-provider entries below can also omit their `callback_url`, since Tuwunel derives `<well-known>/_matrix/client/unstable/login/sso/callback/<client_id>` automatically."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:44
+msgid "**Element Call / MatrixRTC.** When the [LiveKit JWT service](configuring-playbook-matrix-rtc.md) is enabled, Tuwunel publishes its public URL through `.well-known/matrix/client` per [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:45
+msgid "**Legacy calls (TURN).** When [Coturn](configuring-playbook-turn.md) is enabled, its URIs and shared secret (or username/password, depending on `coturn_authentication_method`) are wired automatically."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:47
+msgid "Extending the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:49
+msgid "Tuwunel exposes a large configuration surface. The role surfaces commonly used options as Ansible variables under `matrix_tuwunel_config_*`. See [`roles/custom/matrix-tuwunel/defaults/main.yml`](../roles/custom/matrix-tuwunel/defaults/main.yml) for the complete list, and [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) for the rendered configuration."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:51
+msgid "For options that aren't surfaced as a dedicated variable, [environment variables](https://matrix-construct.github.io/tuwunel/configuration.html#environment-variables) are the recommended override mechanism. They take priority over the rendered TOML, are scoped to the running container, and require no template patching:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:59
+msgid "Keys nested under a TOML section use `__` (double underscore) to descend, e.g. `TUWUNEL_WELL_KNOWN__SERVER`. User-named sections become path segments too: `TUWUNEL_STORAGE_PROVIDER__ARCHIVE__S3__URL` overrides the `url` field of the `archive` storage provider in the example below."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:61
+msgid "If you need wholesale control of the configuration file, copy [`roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2`](../roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2) into your inventory and point `matrix_tuwunel_template_tuwunel_config` at your copy."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:63
+msgid "The container image published as `:latest` is built with `io_uring`, `jemalloc`, LDAP, blurhashing, URL preview, sentry telemetry, and zstd compression all enabled, so most opt-in features are simply a configuration toggle away."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:65
+msgid "Identity providers (OAuth2 / OIDC)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:67
+msgid "Configure one or more `[[global.identity_provider]]` entries via a list. Each entry maps directly to Tuwunel's [identity-provider fields](https://matrix-construct.github.io/tuwunel/authentication/providers.html); only the fields you set are emitted. GitHub, GitLab, and Google have built-in `issuer_url` defaults so a `client_id` plus `client_secret` is enough; for any other `brand` (Apple, Facebook, Keycloak, MAS, Twitter, etc.) you must supply `issuer_url` explicitly:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:82
+msgid "Self-hosted providers must supply both `client_id` and `issuer_url`. Set `trusted: true` only on providers you operate yourself; trusting a public provider (GitHub, Google, etc.) is an account-takeover risk."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:84
+msgid "LDAP"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:86
+msgid "Tuwunel can authenticate `m.login.password` requests against an LDAP directory and, in search-then-bind mode, keep admin status in sync with directory membership. The shipped image already includes the `ldap` build feature."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:97
+msgid "[!NOTE] `bind_password_file` is read **inside the container**. The role bind-mounts `/matrix/tuwunel/config` to `/etc/tuwunel` (read-only) and `/matrix/tuwunel/data` to `/var/lib/tuwunel`. To make the file available at the path above, drop it on the host at `/matrix/tuwunel/config/ldap.pw` (owned by `matrix:matrix`) before running the playbook; the role does not template secret files for you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:100
+msgid "For direct-bind, anonymous-search, and admin-sync details, see [LDAP authentication](https://matrix-construct.github.io/tuwunel/authentication/ldap.html)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:102
+msgid "JWT login"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:104
+msgid "Tuwunel can accept signed JSON Web Tokens both as a login flow and as a User-Interactive Authentication step:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:115
+msgid "The defaults match Synapse's `experimental_features.jwt_config` semantics, so a key + algorithm port should authenticate the same set of tokens. See [Enterprise JWT](https://matrix-construct.github.io/tuwunel/authentication/jwt.html) for the full reference, including the asymmetric (ECDSA / EdDSA) formats and the operator-controlled UIAA override flow."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:117
+msgid "Media storage providers"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:119
+msgid "Each entry becomes a `[global.storage_provider.<id>.<kind>]` block. `kind` is `local` or `s3`; the remaining keys map directly to the fields documented in [Storage providers](https://matrix-construct.github.io/tuwunel/media/storage.html):"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:136
+msgid "The S3 backend ships with native multipart upload, so no goofys/rclone sidecar is required. MinIO, Cloudflare R2, and DigitalOcean Spaces all work; set `endpoint` and `use_vhost_request: false` as appropriate."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:138
+msgid "[!NOTE] Local provider paths must live under `/var/lib/tuwunel` (the container's data mount, persisted on the host at `/matrix/tuwunel/data`), or you must mount the target directory into the container yourself via `matrix_tuwunel_container_extra_arguments`. The container otherwise runs read-only."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:141
+msgid "RocksDB and cache tuning"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:143
+msgid "Tuwunel embeds RocksDB. The defaults (`rocksdb_compression_algo: zstd`) suit most deployments. For high-throughput servers you may want to enable direct I/O, raise parallelism, and bump the cache modifier:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:152
+msgid "If you run on ZFS, the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html#zfs) lists the dataset properties (`recordsize`, `primarycache`, `compression`, `atime`, `logbias`) and config flags (`rocksdb_direct_io`, `rocksdb_allow_fallocate`) you need to adjust to avoid severe write amplification."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:154
+msgid "To enable Sentry crash reporting, set `matrix_tuwunel_config_sentry_enabled: true`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:156
+msgid "Federation gating"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:158
+msgid "Tuwunel accepts regular-expression patterns at every level of remote-server filtering:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:169
+msgid "Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:176
+msgid "When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:178
+msgid "Default room version"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:180
+msgid "The role sets `default_room_version: '12'`, so newly created rooms default to Matrix [room version 12](https://github.com/matrix-org/matrix-spec-proposals/pull/4289) (\"Hydra\"). Override `matrix_tuwunel_config_default_room_version` if you need an earlier version for client compatibility."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:182
+msgid "Creating the first user account"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:184
+msgid "Unlike Synapse and Dendrite, Tuwunel does not register users from the command line or via the playbook. On first startup it logs a one-time-use registration token to its journal:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:191
+msgid "Use the token to create your first account from any client that supports token-gated registration (e.g. [Element Web](configuring-playbook-client-element-web.md)). The account is auto-promoted to admin and invited to the admin room together with the `@conduit:<server_name>` server bot. The bot keeps the legacy `conduit` localpart due to the project's lineage from Conduit."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:193
+msgid "Configuring bridges and appservices"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:195
+msgid "The playbook does not auto-register appservices for Tuwunel. After your bridge has produced its `registration.yaml` (e.g. `/matrix/mautrix-signal/bridge/registration.yaml`), register it manually by sending the contents to the admin room, prefixed with `!admin appservices register` and wrapped in a fenced code block:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:216
+msgid "Registrations stored this way are persisted in the database and survive restarts. Re-running the command with the same `id` replaces the existing entry. See [Application services](https://matrix-construct.github.io/tuwunel/appservices.html) for the full reference and admin commands."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:218
+msgid "Migrating from conduwuit"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:220
+msgid "Tuwunel is a \"binary swap\" for conduwuit; it reads conduwuit's RocksDB layout directly, so migration is a data move, not an export/import."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:222
+msgid "Set `matrix_homeserver_implementation: tuwunel` on `vars.yml` and remove any `matrix_conduwuit_*` overrides."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:223
+msgid "Run a full installation so that the new service is created and the old one removed (e.g. `just setup-all`)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:224
+msgid "Run `just run-tags tuwunel-migrate-from-conduwuit`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:226
+msgid "The migration stops `matrix-conduwuit.service`, copies `/matrix/conduwuit` into `/matrix/tuwunel`, renames the config file, and starts `matrix-tuwunel.service`. The freshly generated tuwunel data directory is preserved alongside as `/matrix/tuwunel_old` until you remove it manually."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:228
+msgid "[!CAUTION] Migrating from any other Conduit derivative (Conduit itself, Continuwuity, or any other fork) is **not supported** and will corrupt your database. All Conduit forks share the same linear database version with no awareness of each other; switching between them produces unrecoverable damage. See the [upstream migration table](https://matrix-construct.github.io/tuwunel/#migrating-to-tuwunel)."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:231
+msgid "Troubleshooting"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:233
+msgid "As with all other services, the logs are available via [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html):"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:239
+msgid "Logging verbosity is controlled by `matrix_tuwunel_config_log` in [`tracing-subscriber` env-filter syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html). The default (`info,state_res=warn`) is reasonable for production; for debugging, try `debug` or scope it tighter, e.g. `info,tuwunel_service::sending=debug`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-tuwunel.md:241
+msgid "For RocksDB-level issues, online backups, and offline backup procedures, see the [Tuwunel maintenance guide](https://matrix-construct.github.io/tuwunel/maintenance.html). For protocol-compliance state across MSCs, the spec, and Complement, the project's [compliance dashboard](https://matrix-construct.github.io/tuwunel/development/compliance.html) is the authoritative tracker."
+msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -97,485 +97,493 @@ msgid "[Configuring continuwuity](configuring-playbook-continuwuity.md), if you'
 msgstr ""

 #: ../../../docs/configuring-playbook.md:56
-msgid "[Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation"
+msgid "[Configuring Tuwunel](configuring-playbook-tuwunel.md), if you've switched to the [Tuwunel](https://matrix-construct.github.io/tuwunel/) homeserver implementation"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:58
+msgid "[Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation"
+msgstr ""
+
+#: ../../../docs/configuring-playbook.md:60
 msgid "Server components:"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:59
+#: ../../../docs/configuring-playbook.md:61
 msgid "[Using an external PostgreSQL server](configuring-playbook-external-postgres.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:61
+#: ../../../docs/configuring-playbook.md:63
 msgid "[Configuring a TURN server](configuring-playbook-turn.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:63
+#: ../../../docs/configuring-playbook.md:65
 msgid "[Configuring the Traefik reverse-proxy](configuring-playbook-traefik.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:65
+#: ../../../docs/configuring-playbook.md:67
 msgid "[Using your own webserver, instead of this playbook's Traefik reverse-proxy](configuring-playbook-own-webserver.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:67
+#: ../../../docs/configuring-playbook.md:69
 msgid "[Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:69
+#: ../../../docs/configuring-playbook.md:71
 msgid "[Adjusting email-sending settings](configuring-playbook-email.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:71
+#: ../../../docs/configuring-playbook.md:73
 msgid "[Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:73
+#: ../../../docs/configuring-playbook.md:75
 msgid "Server connectivity:"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:74
+#: ../../../docs/configuring-playbook.md:76
 msgid "[Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:76
+#: ../../../docs/configuring-playbook.md:78
 msgid "[Controlling Matrix federation](configuring-playbook-federation.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:78
+#: ../../../docs/configuring-playbook.md:80
 msgid "[Configuring IPv6](./configuring-ipv6.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:80
+#: ../../../docs/configuring-playbook.md:82
 msgid "Clients"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:82
+#: ../../../docs/configuring-playbook.md:84
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:84
+#: ../../../docs/configuring-playbook.md:86
 msgid "[Configuring Element Web](configuring-playbook-client-element-web.md), if you're going with the default/recommended client"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:86
+#: ../../../docs/configuring-playbook.md:88
 msgid "[Setting up Hydrogen](configuring-playbook-client-hydrogen.md), if you've enabled [Hydrogen](https://github.com/element-hq/hydrogen-web), a lightweight Matrix client with legacy and mobile browser support"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:88
+#: ../../../docs/configuring-playbook.md:90
 msgid "[Setting up Cinny](configuring-playbook-client-cinny.md), if you've enabled [Cinny](https://github.com/ajbura/cinny), a web client focusing primarily on simple, elegant and secure interface"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:90
+#: ../../../docs/configuring-playbook.md:92
 msgid "[Setting up Sable](configuring-playbook-client-sable.md), if you've enabled [Sable](https://github.com/7w1/sable), a web client focusing primarily on simple, elegant and secure interface"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:92
+#: ../../../docs/configuring-playbook.md:94
 msgid "[Setting up SchildiChat Web](configuring-playbook-client-schildichat-web.md), if you've enabled [SchildiChat Web](https://schildi.chat/), a web client based on [Element Web](https://element.io/) with some extras and tweaks"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:94
+#: ../../../docs/configuring-playbook.md:96
 msgid "[Setting up FluffyChat Web](configuring-playbook-client-fluffychat-web.md), if you've enabled [FluffyChat Web](https://github.com/krille-chan/fluffychat), a cute cross-platform messenger (web, iOS, Android) for Matrix written in [Flutter](https://flutter.dev/)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:97
+#: ../../../docs/configuring-playbook.md:99
 msgid "Authentication and user-related"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:99
+#: ../../../docs/configuring-playbook.md:101
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:101
+#: ../../../docs/configuring-playbook.md:103
 msgid "[Setting up Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) (Next-generation auth for Matrix, based on OAuth 2.0/OIDC)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:103
+#: ../../../docs/configuring-playbook.md:105
 msgid "[Setting up Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:105
+#: ../../../docs/configuring-playbook.md:107
 msgid "[Setting up Ketesa](configuring-playbook-ketesa.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:107
+#: ../../../docs/configuring-playbook.md:109
 msgid "[Setting up matrix-registration](configuring-playbook-matrix-registration.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:109
+#: ../../../docs/configuring-playbook.md:111
 msgid "[Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:111
+#: ../../../docs/configuring-playbook.md:113
 msgid "[Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:113
+#: ../../../docs/configuring-playbook.md:115
 msgid "[Setting up the LDAP authentication password provider module](configuring-playbook-ldap-auth.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:115
+#: ../../../docs/configuring-playbook.md:117
 msgid "[Setting up matrix-ldap-registration-proxy](configuring-playbook-matrix-ldap-registration-proxy.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:117
+#: ../../../docs/configuring-playbook.md:119
 msgid "[Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:119
+#: ../../../docs/configuring-playbook.md:121
 msgid "[Setting up Matrix User Verification Service](configuring-playbook-user-verification-service.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:121
+#: ../../../docs/configuring-playbook.md:123
 msgid "File Storage"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:123
+#: ../../../docs/configuring-playbook.md:125
 msgid "Use alternative file storage to the default `media_store` folder."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:125
+#: ../../../docs/configuring-playbook.md:127
 msgid "[Storing Matrix media files using matrix-media-repo](configuring-playbook-matrix-media-repo.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:127
+#: ../../../docs/configuring-playbook.md:129
 msgid "[Storing Synapse media files on Amazon S3 or another compatible Object Storage](configuring-playbook-s3.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:129
+#: ../../../docs/configuring-playbook.md:131
 msgid "[Storing Synapse media files on Amazon S3 with Goofys](configuring-playbook-s3-goofys.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:131
+#: ../../../docs/configuring-playbook.md:133
 msgid "[Storing Synapse media files on Amazon S3 with synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:133
+#: ../../../docs/configuring-playbook.md:135
 msgid "Bridging other networks"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:135
+#: ../../../docs/configuring-playbook.md:137
 msgid "Bridges can be used to connect your Matrix installation with third-party communication networks."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:137
+#: ../../../docs/configuring-playbook.md:139
 msgid "[Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md) — a common guide for configuring mautrix bridges"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:139
+#: ../../../docs/configuring-playbook.md:141
 msgid "[Setting up Mautrix Bluesky bridging](configuring-playbook-bridge-mautrix-bluesky.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:141
+#: ../../../docs/configuring-playbook.md:143
 msgid "[Setting up Mautrix Discord bridging](configuring-playbook-bridge-mautrix-discord.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:143
+#: ../../../docs/configuring-playbook.md:145
 msgid "[Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:145
+#: ../../../docs/configuring-playbook.md:147
 msgid "[Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:147
+#: ../../../docs/configuring-playbook.md:149
 msgid "[Setting up Mautrix Google Messages bridging](configuring-playbook-bridge-mautrix-gmessages.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:149
+#: ../../../docs/configuring-playbook.md:151
 msgid "[Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:151
+#: ../../../docs/configuring-playbook.md:153
 msgid "[Setting up Instagram bridging via Mautrix Meta](configuring-playbook-bridge-mautrix-meta-instagram.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:153
+#: ../../../docs/configuring-playbook.md:155
 msgid "[Setting up Messenger bridging via Mautrix Meta](configuring-playbook-bridge-mautrix-meta-messenger.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:155
+#: ../../../docs/configuring-playbook.md:157
 msgid "[Setting up Mautrix Google Chat bridging](configuring-playbook-bridge-mautrix-googlechat.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:157
+#: ../../../docs/configuring-playbook.md:159
 msgid "[Setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:159
+#: ../../../docs/configuring-playbook.md:161
 msgid "[Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:161
+#: ../../../docs/configuring-playbook.md:163
 msgid "[Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](configuring-playbook-bridge-mautrix-wsproxy.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:163
+#: ../../../docs/configuring-playbook.md:165
 msgid "[Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:165
+#: ../../../docs/configuring-playbook.md:167
 msgid "[Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:167
+#: ../../../docs/configuring-playbook.md:169
 msgid "[Setting up Appservice Kakaotalk bridging](configuring-playbook-bridge-appservice-kakaotalk.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:169
+#: ../../../docs/configuring-playbook.md:171
 msgid "[Setting up Beeper LinkedIn bridging](configuring-playbook-bridge-beeper-linkedin.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:171
+#: ../../../docs/configuring-playbook.md:173
 msgid "[Setting up matrix-hookshot](configuring-playbook-bridge-hookshot.md) — a bridge between Matrix and multiple project management services, such as [GitHub](https://github.com), [GitLab](https://about.gitlab.com) and [JIRA](https://www.atlassian.com/software/jira)."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:173
+#: ../../../docs/configuring-playbook.md:175
 msgid "[Setting up MX Puppet GroupMe bridging](configuring-playbook-bridge-mx-puppet-groupme.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:175
+#: ../../../docs/configuring-playbook.md:177
 msgid "[Setting up Steam bridging](configuring-playbook-bridge-steam.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:177
+#: ../../../docs/configuring-playbook.md:179
 msgid "[Setting up MX Puppet Steam bridging](configuring-playbook-bridge-mx-puppet-steam.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:179
+#: ../../../docs/configuring-playbook.md:181
 msgid "[Setting up Postmoogle email bridging](configuring-playbook-bridge-postmoogle.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:181
+#: ../../../docs/configuring-playbook.md:183
 msgid "[Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:183
+#: ../../../docs/configuring-playbook.md:185
 msgid "[Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:185
-msgid "[Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)"
-msgstr ""
-
 #: ../../../docs/configuring-playbook.md:187
-msgid "Bots"
+msgid "[Setting up a Matrix <-> Meshtastic bridge](configuring-playbook-bridge-meshtastic-relay.md)"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:189
-msgid "Bots provide various additional functionality to your installation."
+msgid "[Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:191
-msgid "[Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))"
+msgid "Bots"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:193
-msgid "[Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff"
+msgid "Bots provide various additional functionality to your installation."
 msgstr ""

 #: ../../../docs/configuring-playbook.md:195
-msgid "[Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) — a bot to create and manage registration tokens to invite users"
+msgid "[Setting up baibot](configuring-playbook-bot-baibot.md) — a bot through which you can talk to various [AI](https://en.wikipedia.org/wiki/Artificial_intelligence) / [Large Language Models](https://en.wikipedia.org/wiki/Large_language_model) services ([OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/blog/chatgpt/) and [others](https://github.com/etkecc/baibot/blob/main/docs/providers.md))"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:197
-msgid "[Setting up maubot](configuring-playbook-bot-maubot.md) — a plugin-based Matrix bot system"
+msgid "[Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) — a bot to remind you about stuff"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:199
-msgid "[Setting up Honoroit](configuring-playbook-bot-honoroit.md) — a helpdesk bot"
+msgid "[Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) — a bot to create and manage registration tokens to invite users"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:201
-msgid "[Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) — a moderation tool/bot"
+msgid "[Setting up maubot](configuring-playbook-bot-maubot.md) — a plugin-based Matrix bot system"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:203
-msgid "[Setting up Draupnir](configuring-playbook-bot-draupnir.md) — a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer"
+msgid "[Setting up Honoroit](configuring-playbook-bot-honoroit.md) — a helpdesk bot"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:205
-msgid "[Setting up Draupnir for all/D4A](configuring-playbook-appservice-draupnir-for-all.md) — like the [Draupnir bot](configuring-playbook-bot-draupnir.md) mentioned above, but running in appservice mode and supporting multiple instances"
+msgid "[Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) — a moderation tool/bot"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:207
-msgid "[Setting up Buscarron](configuring-playbook-bot-buscarron.md) — a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room"
+msgid "[Setting up Draupnir](configuring-playbook-bot-draupnir.md) — a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:209
-msgid "Administration"
+msgid "[Setting up Draupnir for all/D4A](configuring-playbook-appservice-draupnir-for-all.md) — like the [Draupnir bot](configuring-playbook-bot-draupnir.md) mentioned above, but running in appservice mode and supporting multiple instances"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:211
-msgid "Services that help you in administrating and monitoring your Matrix installation."
+msgid "[Setting up Buscarron](configuring-playbook-bot-buscarron.md) — a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:213
-msgid "[Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md)"
+msgid "Administration"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:215
-msgid "[Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](configuring-playbook-prometheus-grafana.md)"
+msgid "Services that help you in administrating and monitoring your Matrix installation."
 msgstr ""

 #: ../../../docs/configuring-playbook.md:217
-msgid "[Setting up the rageshake bug report server](configuring-playbook-rageshake.md)"
+msgid "[Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md)"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:219
-msgid "[Enabling synapse-usage-exporter for Synapse usage statistics](configuring-playbook-synapse-usage-exporter.md)"
+msgid "[Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](configuring-playbook-prometheus-grafana.md)"
 msgstr ""

 #: ../../../docs/configuring-playbook.md:221
+msgid "[Setting up the rageshake bug report server](configuring-playbook-rageshake.md)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook.md:223
+msgid "[Enabling synapse-usage-exporter for Synapse usage statistics](configuring-playbook-synapse-usage-exporter.md)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook.md:225
 msgid "Backups:"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:222
+#: ../../../docs/configuring-playbook.md:226
 msgid "[Setting up BorgBackup](configuring-playbook-backup-borg.md) — a full Matrix server backup solution, including the Postgres database"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:224
+#: ../../../docs/configuring-playbook.md:228
 msgid "[Setting up Postgres backup](configuring-playbook-postgres-backup.md) — a Postgres-database backup solution (note: does not include other files)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:226
+#: ../../../docs/configuring-playbook.md:230
 msgid "Other specialized services"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:228
+#: ../../../docs/configuring-playbook.md:232
 msgid "Various services that don't fit any other categories."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:230
+#: ../../../docs/configuring-playbook.md:234
 msgid "[Setting up Element Call](configuring-playbook-element-call.md) — a native Matrix video conferencing application, built on top of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:232
+#: ../../../docs/configuring-playbook.md:236
 msgid "[Setting up LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:234
+#: ../../../docs/configuring-playbook.md:238
 msgid "[Setting up LiveKit Server](configuring-playbook-livekit-server.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:236
+#: ../../../docs/configuring-playbook.md:240
 msgid "[Setting up Matrix RTC](configuring-playbook-matrix-rtc.md) (optional)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:238
+#: ../../../docs/configuring-playbook.md:242
 msgid "[Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:240
+#: ../../../docs/configuring-playbook.md:244
 msgid "[Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:242
+#: ../../../docs/configuring-playbook.md:246
 msgid "[Setting up Matrix.to](configuring-playbook-matrixto.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:244
+#: ../../../docs/configuring-playbook.md:248
 msgid "[Setting up Etherpad](configuring-playbook-etherpad.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:246
+#: ../../../docs/configuring-playbook.md:250
 msgid "[Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:248
+#: ../../../docs/configuring-playbook.md:252
 msgid "[Setting up Cactus Comments](configuring-playbook-cactus-comments.md) — a federated comment system built on Matrix"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:250
+#: ../../../docs/configuring-playbook.md:254
 msgid "[Setting up Pantalaimon (E2EE aware proxy daemon)](configuring-playbook-pantalaimon.md) (advanced)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:252
+#: ../../../docs/configuring-playbook.md:256
 msgid "[Setting up the Sygnal push gateway](configuring-playbook-sygnal.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:254
+#: ../../../docs/configuring-playbook.md:258
 msgid "[Setting up the ntfy push notifications server](configuring-playbook-ntfy.md)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:256
+#: ../../../docs/configuring-playbook.md:260
 msgid "Deprecated / unmaintained / removed services"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:258
+#: ../../../docs/configuring-playbook.md:262
 msgid "**Note**: since a deprecated or unmaintained service will not be updated, its bug or vulnerability will be unlikely to get patched. It is recommended to migrate from the service to an alternative if any, and make sure to do your own research before you decide to keep it running nonetheless."
 msgstr ""

-#: ../../../docs/configuring-playbook.md:260
+#: ../../../docs/configuring-playbook.md:264
 msgid "[Configuring conduwuit](configuring-playbook-conduwuit.md) (removed; this component has been abandoned and unmaintained)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:262
+#: ../../../docs/configuring-playbook.md:266
 msgid "[Setting up the Sliding Sync proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like old Element X versions, before it got switched to Simplified Sliding Sync)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:264
+#: ../../../docs/configuring-playbook.md:268
 msgid "[Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (removed; this component has been discontinued)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:266
+#: ../../../docs/configuring-playbook.md:270
 msgid "[Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (deprecated; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:268
+#: ../../../docs/configuring-playbook.md:272
 msgid "[Setting up the Dimension integration manager](configuring-playbook-dimension.md) ([unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299); after [installing](installing.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:270
+#: ../../../docs/configuring-playbook.md:274
 msgid "[Setting up Email2Matrix](configuring-playbook-email2matrix.md) (removed; the author suggests taking a look at [Postmoogle](https://github.com/etkecc/postmoogle) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-postmoogle.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:272
+#: ../../../docs/configuring-playbook.md:276
 msgid "[Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (unmaintained; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:274
+#: ../../../docs/configuring-playbook.md:278
 msgid "[Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md) (removed; Skype has been discontinued since May 2025)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:276
+#: ../../../docs/configuring-playbook.md:280
 msgid "[Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook.)"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:278
+#: ../../../docs/configuring-playbook.md:282
 msgid "[Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) (unmaintained; the bridge's author suggests taking a look at [baibot](https://github.com/etkecc/baibot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bot-baibot.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:280
+#: ../../../docs/configuring-playbook.md:284
 msgid "[Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:282
+#: ../../../docs/configuring-playbook.md:286
 msgid "[Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-instagram](configuring-playbook-bridge-mautrix-meta-instagram.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:284
+#: ../../../docs/configuring-playbook.md:288
 msgid "[Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Discord bridging](configuring-playbook-bridge-mautrix-discord.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:286
+#: ../../../docs/configuring-playbook.md:290
 msgid "[Setting up MX Puppet Instagram bridging](configuring-playbook-bridge-mx-puppet-instagram.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Instagram bridging via Mautrix Meta](configuring-playbook-bridge-mautrix-meta-instagram.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:288
+#: ../../../docs/configuring-playbook.md:292
 msgid "[Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (removed; this component has been broken for a long time, so it has been removed from the playbook. Consider [setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:290
+#: ../../../docs/configuring-playbook.md:294
 msgid "[Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:292
+#: ../../../docs/configuring-playbook.md:296
 msgid "[Setting up MX Puppet Twitter bridging](configuring-playbook-bridge-mx-puppet-twitter.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook. Consider [setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md))"
 msgstr ""

-#: ../../../docs/configuring-playbook.md:294
+#: ../../../docs/configuring-playbook.md:298
 msgid "[Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md) (removed; since Synapse [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.109.0) the same feature is available natively.)"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-03 11:56+0100\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -92,6 +92,18 @@ msgstr ""
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit."
 msgstr ""

+#: ../../../docs/container-images.md:0
+msgid "[Tuwunel](configuring-playbook-tuwunel.md)"
+msgstr ""
+
+#: ../../../docs/container-images.md:0
+msgid "[matrix-construct/tuwunel](https://ghcr.io/matrix-construct/tuwunel)"
+msgstr ""
+
+#: ../../../docs/container-images.md:0
+msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Tuwunel is the official successor to conduwuit."
+msgstr ""
+
 #: ../../../docs/container-images.md:0
 msgid "[Dendrite](configuring-playbook-dendrite.md)"
 msgstr ""
@@ -104,11 +116,11 @@ msgstr ""
 msgid "Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse."
 msgstr ""

-#: ../../../docs/container-images.md:33
+#: ../../../docs/container-images.md:34
 msgid "Clients"
 msgstr ""

-#: ../../../docs/container-images.md:35
+#: ../../../docs/container-images.md:36
 msgid "Web clients for Matrix that you can host on your own domains."
 msgstr ""

@@ -168,11 +180,11 @@ msgstr ""
 msgid "Based on Element Web, with a more traditional instant messaging experience"
 msgstr ""

-#: ../../../docs/container-images.md:45
+#: ../../../docs/container-images.md:46
 msgid "Server Components"
 msgstr ""

-#: ../../../docs/container-images.md:47
+#: ../../../docs/container-images.md:48
 msgid "Services that run on the server to make the various parts of your installation work."
 msgstr ""

@@ -272,11 +284,11 @@ msgstr ""
 msgid "JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md)"
 msgstr ""

-#: ../../../docs/container-images.md:60
+#: ../../../docs/container-images.md:61
 msgid "Authentication"
 msgstr ""

-#: ../../../docs/container-images.md:62
+#: ../../../docs/container-images.md:63
 msgid "Extend and modify how users are authenticated on your homeserver."
 msgstr ""

@@ -352,11 +364,11 @@ msgstr ""
 msgid "Spam checker module"
 msgstr ""

-#: ../../../docs/container-images.md:74
+#: ../../../docs/container-images.md:75
 msgid "File Storage"
 msgstr ""

-#: ../../../docs/container-images.md:76
+#: ../../../docs/container-images.md:77
 msgid "Use alternative file storage to the default `media_store` folder."
 msgstr ""

@@ -388,11 +400,11 @@ msgstr ""
 msgid "Highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification."
 msgstr ""

-#: ../../../docs/container-images.md:84
+#: ../../../docs/container-images.md:85
 msgid "Bridges"
 msgstr ""

-#: ../../../docs/container-images.md:86
+#: ../../../docs/container-images.md:87
 msgid "Bridges can be used to connect your Matrix installation with third-party communication networks."
 msgstr ""

@@ -672,11 +684,11 @@ msgstr ""
 msgid "Email to Matrix bridge"
 msgstr ""

-#: ../../../docs/container-images.md:114
+#: ../../../docs/container-images.md:115
 msgid "Bots"
 msgstr ""

-#: ../../../docs/container-images.md:116
+#: ../../../docs/container-images.md:117
 msgid "Bots provide various additional functionality to your installation."
 msgstr ""

@@ -776,11 +788,11 @@ msgstr ""
 msgid "Web forms (HTTP POST) to Matrix"
 msgstr ""

-#: ../../../docs/container-images.md:129
+#: ../../../docs/container-images.md:130
 msgid "Administration"
 msgstr ""

-#: ../../../docs/container-images.md:131
+#: ../../../docs/container-images.md:132
 msgid "Services that help you in administrating and monitoring your Matrix installation."
 msgstr ""

@@ -809,7 +821,7 @@ msgid "OAuth 2.0 and OpenID Provider server"
 msgstr ""

 #: ../../../docs/container-images.md:0
-msgid "[ketesa](configuring-playbook-ketesa.md)"
+msgid "[Ketesa](configuring-playbook-ketesa.md)"
 msgstr ""

 #: ../../../docs/container-images.md:0
@@ -900,11 +912,11 @@ msgstr ""
 msgid "Export the usage statistics of a Synapse homeserver to be scraped by Prometheus."
 msgstr ""

-#: ../../../docs/container-images.md:147
+#: ../../../docs/container-images.md:148
 msgid "Misc"
 msgstr ""

-#: ../../../docs/container-images.md:149
+#: ../../../docs/container-images.md:150
 msgid "Various services that don't fit any other categories."
 msgstr ""

@@ -1044,11 +1056,11 @@ msgstr ""
 msgid "A native Matrix video conferencing application"
 msgstr ""

-#: ../../../docs/container-images.md:167
+#: ../../../docs/container-images.md:168
 msgid "Container images of deprecated / unmaintained services"
 msgstr ""

-#: ../../../docs/container-images.md:169
+#: ../../../docs/container-images.md:170
 msgid "The list of the deprecated or unmaintained services is available [here](configuring-playbook.md#deprecated--unmaintained--removed-services)."
 msgstr ""

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -573,254 +573,266 @@ msgid "How do I optimize this setup for a low-power server?"
 msgstr ""

 #: ../../../docs/faq.md:308
+msgid "For a low-power server, it's best to use an alternative homeserver implementation (other than [Synapse](configuring-playbook-synapse.md))."
+msgstr ""
+
+#: ../../../docs/faq.md:310
 msgid "You can disable some not-so-important services to save on memory."
 msgstr ""

-#: ../../../docs/faq.md:327
-msgid "You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms:"
-msgstr ""
-
-#: ../../../docs/faq.md:337
+#: ../../../docs/faq.md:317
 msgid "If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by default), there are additional optimizations listed on its documentation page that you can perform."
 msgstr ""

-#: ../../../docs/faq.md:339
+#: ../../../docs/faq.md:320
+msgid "Synapse-specific optimizations"
+msgstr ""
+
+#: ../../../docs/faq.md:322
+msgid "If you're using [Synapse](configuring-playbook-synapse.md), you can also consider the following optimizations:"
+msgstr ""
+
+#: ../../../docs/faq.md:332
+msgid "You can also consider [implementing a restriction on room complexity](configuring-playbook-synapse.md#limit-joining-heavy-rooms-on-constrained-hosts), in order to prevent users from joining very heavy rooms:"
+msgstr ""
+
+#: ../../../docs/faq.md:340
 msgid "I already have Docker on my server. Can you stop installing Docker via the playbook?"
 msgstr ""

-#: ../../../docs/faq.md:341
+#: ../../../docs/faq.md:342
 msgid "Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file:"
 msgstr ""

-#: ../../../docs/faq.md:347
+#: ../../../docs/faq.md:348
 msgid "I run another webserver on the same server where I wish to install Matrix. What now?"
 msgstr ""

-#: ../../../docs/faq.md:349
+#: ../../../docs/faq.md:350
 msgid "By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md)."
 msgstr ""

-#: ../../../docs/faq.md:351
+#: ../../../docs/faq.md:352
 msgid "How is the effective configuration determined?"
 msgstr ""

-#: ../../../docs/faq.md:353
+#: ../../../docs/faq.md:354
 msgid "Configuration variables are defined in multiple places in this playbook and are considered in this order:"
 msgstr ""

-#: ../../../docs/faq.md:355
+#: ../../../docs/faq.md:356
 msgid "there are defaults coming from each role's defaults file (`role/matrix*/defaults/main.yml`). These variable values aim to be good defaults for when the role is used standalone (outside of this collection of roles, also called playbook)."
 msgstr ""

-#: ../../../docs/faq.md:357
+#: ../../../docs/faq.md:358
 msgid "then, there are overrides in `group_vars/matrix_servers`, which aim to adjust these \"standalone role defaults\" to something which better fits the playbook in its entirety."
 msgstr ""

-#: ../../../docs/faq.md:359
+#: ../../../docs/faq.md:360
 msgid "finally, there's your `inventory/host_vars/matrix.example.com/vars.yml` file, which is the ultimate override"
 msgstr ""

-#: ../../../docs/faq.md:361
+#: ../../../docs/faq.md:362
 msgid "What configuration variables are available?"
 msgstr ""

-#: ../../../docs/faq.md:363
+#: ../../../docs/faq.md:364
 msgid "You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`)."
 msgstr ""

-#: ../../../docs/faq.md:365
+#: ../../../docs/faq.md:366
 msgid "As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overridden by values defined in `group_vars/matrix_servers`."
 msgstr ""

-#: ../../../docs/faq.md:367
+#: ../../../docs/faq.md:368
 msgid "Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.example.com/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features)."
 msgstr ""

-#: ../../../docs/faq.md:369
-#: ../../../docs/faq.md:381
+#: ../../../docs/faq.md:370
+#: ../../../docs/faq.md:382
 msgid "**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`) or `just update` (which automatically does `git pull` and `just roles`)."
 msgstr ""

-#: ../../../docs/faq.md:371
+#: ../../../docs/faq.md:372
 msgid "I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it?"
 msgstr ""

-#: ../../../docs/faq.md:373
+#: ../../../docs/faq.md:374
 msgid "The playbook doesn't aim to expose all configuration settings for all services using variables. Doing so would amount to hundreds of variables that we have to create and maintain."
 msgstr ""

-#: ../../../docs/faq.md:375
+#: ../../../docs/faq.md:376
 msgid "Instead, we only try to make some important basics configurable using dedicated variables you can see in each role. See [What configuration variables are available?](#what-configuration-variables-are-available)."
 msgstr ""

-#: ../../../docs/faq.md:377
+#: ../../../docs/faq.md:378
 msgid "Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration."
 msgstr ""

-#: ../../../docs/faq.md:379
+#: ../../../docs/faq.md:380
 msgid "Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it."
 msgstr ""

-#: ../../../docs/faq.md:383
+#: ../../../docs/faq.md:384
 msgid "Installation"
 msgstr ""

-#: ../../../docs/faq.md:385
+#: ../../../docs/faq.md:386
 msgid "How do I run the installation?"
 msgstr ""

-#: ../../../docs/faq.md:387
+#: ../../../docs/faq.md:388
 msgid "See [Installing](installing.md) to learn how to use Ansible to install Matrix services."
 msgstr ""

-#: ../../../docs/faq.md:389
+#: ../../../docs/faq.md:390
 msgid "However, we recommend you to follow our installation guide, instead of jumping straight to installing."
 msgstr ""

-#: ../../../docs/faq.md:391
+#: ../../../docs/faq.md:392
 msgid "There are two guides available:"
 msgstr ""

-#: ../../../docs/faq.md:393
+#: ../../../docs/faq.md:394
 msgid "⚡ **[Quick start](quick-start.md)** (for beginners): this is recommended for those who do not have an existing Matrix server and want to start quickly with \"opinionated defaults\"."
 msgstr ""

-#: ../../../docs/faq.md:395
+#: ../../../docs/faq.md:396
 msgid "**Full installation guide (for advanced users)**: if you need to import an existing Matrix server's data into the new server or want to learn more while setting up the server, follow this guide by starting with the **[Prerequisites](prerequisites.md)** documentation page."
 msgstr ""

-#: ../../../docs/faq.md:397
+#: ../../../docs/faq.md:398
 msgid "I installed Synapse some other way. Can I migrate such a setup to the playbook?"
 msgstr ""

-#: ../../../docs/faq.md:399
+#: ../../../docs/faq.md:400
 msgid "Yes, you can."
 msgstr ""

-#: ../../../docs/faq.md:401
+#: ../../../docs/faq.md:402
 msgid "You generally need to do a playbook installation. It's recommended to follow the full installation guide (starting at the [Prerequisites](prerequisites.md) page), not the [Quick start](quick-start.md) guide. The full installation guide will tell you when it's time to import your existing data into the newly-prepared server."
 msgstr ""

-#: ../../../docs/faq.md:403
+#: ../../../docs/faq.md:404
 msgid "This Ansible playbook guides you into installing a server for `example.com` (user IDs are like this: `@alice:example.com`), while the server is at `matrix.example.com`. If your existing setup has a server name (`server_name` configuration setting in Synapse's `homeserver.yaml` file) other than the base `example.com`, you may need to tweak some additional variables. This FAQ entry may be of use if you're dealing with a more complicated setup — [How do I install on matrix.example.com without involving the base domain?](#how-do-i-install-on-matrixexamplecom-without-involving-the-base-domain)"
 msgstr ""

-#: ../../../docs/faq.md:405
+#: ../../../docs/faq.md:406
 msgid "After configuring the playbook and installing and **before starting** services (done with `ansible-playbook … --tags=start`) you'd import [your SQLite](importing-synapse-sqlite.md) (or [Postgres](importing-postgres.md)) database and also [import your media store](importing-synapse-media-store.md)."
 msgstr ""

-#: ../../../docs/faq.md:407
+#: ../../../docs/faq.md:408
 msgid "I've downloaded Ansible and the playbook on the server. It can't connect using SSH."
 msgstr ""

-#: ../../../docs/faq.md:409
+#: ../../../docs/faq.md:410
 msgid "If you're using the playbook directly on the server, then Ansible doesn't need to connect using SSH."
 msgstr ""

-#: ../../../docs/faq.md:411
+#: ../../../docs/faq.md:412
 msgid "It can perform a local connection instead. Just set `ansible_connection=local` at the end of the server line in `inventory/hosts` and re-run the playbook."
 msgstr ""

-#: ../../../docs/faq.md:413
+#: ../../../docs/faq.md:414
 msgid "If you're running Ansible from within a container (one of the possibilities we list on our [dedicated Ansible documentation page](ansible.md)), then using `ansible_connection=local` is not possible."
 msgstr ""

-#: ../../../docs/faq.md:415
+#: ../../../docs/faq.md:416
 msgid "Maintenance and Troubleshooting"
 msgstr ""

-#: ../../../docs/faq.md:417
+#: ../../../docs/faq.md:418
 msgid "💡 Also see this page for generic information about maintaining the services and troubleshooting: [Maintenance and Troubleshooting](maintenance-and-troubleshooting.md)"
 msgstr ""

-#: ../../../docs/faq.md:419
+#: ../../../docs/faq.md:420
 msgid "Do I need to do anything to keep my Matrix server updated?"
 msgstr ""

-#: ../../../docs/faq.md:421
+#: ../../../docs/faq.md:422
 msgid "Yes. We don't update anything for you automatically."
 msgstr ""

-#: ../../../docs/faq.md:423
+#: ../../../docs/faq.md:424
 msgid "See our [documentation page about upgrading services](maintenance-upgrading-services.md)."
 msgstr ""

-#: ../../../docs/faq.md:425
+#: ../../../docs/faq.md:426
 msgid "How do I move my existing installation to another (VM) server?"
 msgstr ""

-#: ../../../docs/faq.md:427
+#: ../../../docs/faq.md:428
 msgid "If you have an existing installation done using this Ansible playbook, you can easily migrate that to another server following [our dedicated server migration guide](maintenance-migrating.md)."
 msgstr ""

-#: ../../../docs/faq.md:429
+#: ../../../docs/faq.md:430
 msgid "If your previous installation is done in some other way (not using this Ansible playbook), see [I installed Synapse some other way. Can I migrate such a setup to the playbook?](#i-installed-synapse-some-other-way-can-i-migrate-such-a-setup-to-the-playbook)."
 msgstr ""

-#: ../../../docs/faq.md:431
+#: ../../../docs/faq.md:432
 msgid "What is this `/matrix/postgres/data-auto-upgrade-backup` directory that is taking up so much space?"
 msgstr ""

-#: ../../../docs/faq.md:433
+#: ../../../docs/faq.md:434
 msgid "When you [perform a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql), we save the the old data files in `/matrix/postgres/data-auto-upgrade-backup`, just so you could easily restore them should something have gone wrong."
 msgstr ""

-#: ../../../docs/faq.md:435
+#: ../../../docs/faq.md:436
 msgid "After verifying that everything still works after the Postgres upgrade, you can safely delete `/matrix/postgres/data-auto-upgrade-backup`"
 msgstr ""

-#: ../../../docs/faq.md:437
+#: ../../../docs/faq.md:438
 msgid "I get \"Error response from daemon: configured logging driver does not support reading\" when I run `docker logs matrix-synapse`. Why?"
 msgstr ""

-#: ../../../docs/faq.md:439
+#: ../../../docs/faq.md:440
 msgid "To prevent double-logging, Docker logging is disabled by explicitly passing `--log-driver=none` to all containers. Due to this, you cannot view logs using `docker logs matrix-*`."
 msgstr ""

-#: ../../../docs/faq.md:441
+#: ../../../docs/faq.md:442
 msgid "See [this section](maintenance-and-troubleshooting.md#how-to-see-the-logs) on the page for maintenance and troubleshooting for more details to see the logs."
 msgstr ""

-#: ../../../docs/faq.md:443
+#: ../../../docs/faq.md:444
 msgid "The server fails to start due to the `Unable to start service matrix-coturn.service` error. Why and how to solve it?"
 msgstr ""

-#: ../../../docs/faq.md:445
+#: ../../../docs/faq.md:446
 msgid "The error is most likely because Traefik cannot obtain SSL certificates due to certain reasons such as wrong domain name configuration or port 80 being unavailable due to other services."
 msgstr ""

-#: ../../../docs/faq.md:447
+#: ../../../docs/faq.md:448
 msgid "If Traefik fails to obtain an SSL certificate for domain names such as `matrix.`, Traefik Certs Dumper cannot extract the SSL certificate out of there, and coturn cannot be started and the error occurs. Refer to these comments for details:"
 msgstr ""

-#: ../../../docs/faq.md:449
+#: ../../../docs/faq.md:450
 msgid "<https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3957#issuecomment-2599590441>"
 msgstr ""

-#: ../../../docs/faq.md:450
+#: ../../../docs/faq.md:451
 msgid "<https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4570#issuecomment-3364111466>"
 msgstr ""

-#: ../../../docs/faq.md:452
+#: ../../../docs/faq.md:453
 msgid "If you are not sure what the problem is, at first make sure that you have set the \"base domain\" (`example.com`, **not `matrix.example.com`**) to `matrix_domain`. You should be able to find it at the top of your `vars.yml`."
 msgstr ""

-#: ../../../docs/faq.md:454
+#: ../../../docs/faq.md:455
 msgid "If it is correctly specified, look Traefik's logs (`journalctl -fu matrix-traefik.service`) for errors by Let's Encrypt for troubleshooting."
 msgstr ""

-#: ../../../docs/faq.md:456
+#: ../../../docs/faq.md:457
 msgid "Miscellaneous"
 msgstr ""

-#: ../../../docs/faq.md:458
+#: ../../../docs/faq.md:459
 msgid "I would like to see this favorite service of mine integrated and become available on my Matrix server. How can I request it?"
 msgstr ""

-#: ../../../docs/faq.md:460
+#: ../../../docs/faq.md:461
 msgid "You can freely create an issue for feature request on the repository at GitHub [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/new/choose). Note this is a community project with no financial backing, and there is not assurance that your request would be eventually picked up by others and the requested feature would become available. The easiest way to get a feature into this project is to just develop it yourself."
 msgstr ""

-#: ../../../docs/faq.md:462
+#: ../../../docs/faq.md:463
 msgid "Also, please note that this playbook intends to focus solely on Matrix and Matrix-related services. If your request is not specific to Matrix, you may as well to consider to submit it to the [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook), maintained by the members behind this matrix-docker-ansible-deploy project. [This document on the interoperability](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md) describes how to deploy services along with the Matrix services easily."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -57,7 +57,7 @@ msgid "**Note**: the changes below instruct you how to do this for a basic Synap
 msgstr ""

 #: ../../../docs/howto-srv-server-delegation.md:29
-msgid "if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))"
+msgid "if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md), [Tuwunel](./configuring-playbook-tuwunel.md) or [Dendrite](./configuring-playbook-dendrite.md))"
 msgstr ""

 #: ../../../docs/howto-srv-server-delegation.md:30
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -49,7 +49,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""

 #: ../../../docs/installing.md:30
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""

 #: ../../../docs/installing.md:32
@@ -249,61 +249,61 @@ msgid "or join some Matrix rooms:"
 msgstr ""

 #: ../../../docs/installing.md:148
-msgid "via the *Explore rooms* feature in Element Web or some other clients, or by discovering them using this [matrix-static list](https://view.matrix.org). **Note**: joining large rooms may overload small servers."
-msgstr ""
-
-#: ../../../docs/installing.md:149
-msgid "or come say Hi in our support room — [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com). You might learn something or get to help someone else new to Matrix hosting."
+msgid "via the *Explore rooms* feature in Element Web or some other clients, or by discovering them using this [matrix-static list](https://view.matrix.org). **Note**: joining large rooms may overload small servers. For tuning guidance on constrained hosts, see [Limit joining heavy rooms on constrained hosts](configuring-playbook-synapse.md#limit-joining-heavy-rooms-on-constrained-hosts)."
 msgstr ""

 #: ../../../docs/installing.md:150
+msgid "or come say Hi in our support room — [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com). You might learn something or get to help someone else new to Matrix hosting."
+msgstr ""
+
+#: ../../../docs/installing.md:151
 msgid "or help make this playbook better by contributing (code, documentation, or [coffee/beer](https://liberapay.com/s.pantaleev/donate))"
 msgstr ""

-#: ../../../docs/installing.md:152
+#: ../../../docs/installing.md:153
 msgid "⚠️ Keep the playbook and services up-to-date"
 msgstr ""

-#: ../../../docs/installing.md:154
+#: ../../../docs/installing.md:155
 msgid "While this playbook helps you to set up Matrix services and maintain them, it will **not** automatically run the maintenance task for you. You will need to update the playbook and re-run it **manually**."
 msgstr ""

-#: ../../../docs/installing.md:156
+#: ../../../docs/installing.md:157
 msgid "The upstream projects, which this playbook makes use of, occasionally if not often suffer from security vulnerabilities."
 msgstr ""

-#: ../../../docs/installing.md:158
+#: ../../../docs/installing.md:159
 msgid "Since it is unsafe to keep outdated services running on the server connected to the internet, please consider to update the playbook and re-run it periodically, in order to keep the services up-to-date."
 msgstr ""

-#: ../../../docs/installing.md:160
+#: ../../../docs/installing.md:161
 msgid "Also, do not forget to update your system regularly. While this playbook may install basic services, such as Docker, it will not interfere further with system maintenance. Keeping the system itself up-to-date is out of scope for this playbook."
 msgstr ""

-#: ../../../docs/installing.md:162
+#: ../../../docs/installing.md:163
 msgid "For more information about upgrading or maintaining services with the playbook, take a look at this page: [Upgrading the Matrix services](maintenance-upgrading-services.md)"
 msgstr ""

-#: ../../../docs/installing.md:164
+#: ../../../docs/installing.md:165
 msgid "Feel free to **re-run the setup command any time** you think something is wrong with the server configuration. Ansible will take your configuration and update your server to match."
 msgstr ""

-#: ../../../docs/installing.md:170
+#: ../../../docs/installing.md:171
 msgid "**Note**: see [this page on the playbook tags](playbook-tags.md) for more information about those tags."
 msgstr ""

-#: ../../../docs/installing.md:172
+#: ../../../docs/installing.md:173
 msgid "Make full use of `just` shortcut commands"
 msgstr ""

-#: ../../../docs/installing.md:174
+#: ../../../docs/installing.md:175
 msgid "After you get familiar with reconfiguring and re-running the playbook to maintain the server, upgrade its services, etc., you probably would like to make use of `just` shortcut commands for faster input."
 msgstr ""

-#: ../../../docs/installing.md:176
+#: ../../../docs/installing.md:177
 msgid "For example, `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed."
 msgstr ""

-#: ../../../docs/installing.md:178
+#: ../../../docs/installing.md:179
 msgid "You can learn about the shortcut commands on this page: [Running `just` commands](just.md)"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -162,17 +162,17 @@ msgid "Conditional service restart"
 msgstr ""

 #: ../../../docs/just.md:49
-msgid "When using `just install-all` or `just install-service`, only services whose configuration or container image actually changed during the playbook run will be restarted. Unchanged services are left running (or get started if they were stopped). This reduces unnecessary downtime."
+msgid "When running `install-all` or `install-service` (whether via `just` or raw `ansible-playbook`), only services whose configuration or container image actually changed during the playbook run will be restarted. Unchanged services are left running (or get started if they were stopped). This reduces unnecessary downtime."
 msgstr ""

 #: ../../../docs/just.md:51
-msgid "When using `just setup-all`, all services are unconditionally restarted regardless of whether changes were detected. This is appropriate for `setup-all`'s thorough \"full setup\" semantics."
+msgid "When running with `setup-*` tags (e.g. `setup-all`, `setup-synapse`), all services are unconditionally restarted regardless of whether changes were detected. This is appropriate for setup's thorough \"full setup\" semantics."
 msgstr ""

 #: ../../../docs/just.md:53
-msgid "`just start-all` and `just start-group` always restart all targeted services, since no installation tasks run during these commands."
+msgid "`start-all` and `start-group` always restart all targeted services, since no installation tasks run during these commands."
 msgstr ""

 #: ../../../docs/just.md:55
-msgid "This behavior is controlled by the `devture_systemd_service_manager_conditional_restart_enabled` variable (default: `true`). To force unconditional restarts during installation, pass: `just install-all --extra-vars='devture_systemd_service_manager_conditional_restart_enabled=false'`"
+msgid "This behavior is automatically determined based on the playbook tags in use. It can be overridden with the `devture_systemd_service_manager_conditional_restart_enabled` variable. For example, to force unconditional restarts during installation: `just install-all --extra-vars='devture_systemd_service_manager_conditional_restart_enabled=false'`"
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -145,57 +145,61 @@ msgid "Synapse's presence feature which tracks which users are online and which
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:86
-msgid "If you have enough compute resources (CPU & RAM), you can make Synapse better use of them by [enabling load-balancing with workers](configuring-playbook-synapse.md#load-balancing-with-workers)."
+msgid "On smaller servers, consider limiting joins to very complex rooms with [the room complexity guard](configuring-playbook-synapse.md#limit-joining-heavy-rooms-on-constrained-hosts)."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:88
-msgid "[Tuning your PostgreSQL database](maintenance-postgres.md#tuning-postgresql) could also improve Synapse performance. The playbook tunes the integrated Postgres database automatically, but based on your needs you may wish to adjust tuning variables manually. If you're using an [external Postgres database](configuring-playbook-external-postgres.md), you will also need to tune Postgres manually."
+msgid "If you have enough compute resources (CPU & RAM), you can make Synapse better use of them by [enabling load-balancing with workers](configuring-playbook-synapse.md#load-balancing-with-workers)."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:90
-msgid "Tuning caches and cache autotuning"
+msgid "[Tuning your PostgreSQL database](maintenance-postgres.md#tuning-postgresql) could also improve Synapse performance. The playbook tunes the integrated Postgres database automatically, but based on your needs you may wish to adjust tuning variables manually. If you're using an [external Postgres database](configuring-playbook-external-postgres.md), you will also need to tune Postgres manually."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:92
-msgid "Tuning Synapse's cache factor is useful for performance increases but also as part of controlling Synapse's memory use. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor as part of this process."
+msgid "Tuning caches and cache autotuning"
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:94
-msgid "**The playbook defaults the global cache factor to a large value** (e.g. `10`). A smaller value (e.g. `0.5`) will decrease the amount used for caches, but will [not necessarily decrease RAM usage as a whole](https://github.com/matrix-org/synapse/issues/3939)."
+msgid "Tuning Synapse's cache factor is useful for performance increases but also as part of controlling Synapse's memory use. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor as part of this process."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:96
-msgid "Tuning the cache factor is useful only to a limited degree (as its crude to do in isolation) and therefore users who are tuning their cache factor should likely look into tuning autotune variables as well (see below)."
+msgid "**The playbook defaults the global cache factor to a large value** (e.g. `10`). A smaller value (e.g. `0.5`) will decrease the amount used for caches, but will [not necessarily decrease RAM usage as a whole](https://github.com/matrix-org/synapse/issues/3939)."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:98
-msgid "Cache autotuning is **enabled by default** and controlled via the following variables:"
+msgid "Tuning the cache factor is useful only to a limited degree (as its crude to do in isolation) and therefore users who are tuning their cache factor should likely look into tuning autotune variables as well (see below)."
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:100
-msgid "`matrix_synapse_cache_autotuning_max_cache_memory_usage` — defaults to 1/8 of total RAM with a cap of 2GB; values are specified in bytes"
-msgstr ""
-
-#: ../../../docs/maintenance-synapse.md:101
-msgid "`matrix_synapse_cache_autotuning_target_cache_memory_usage` — defaults to 1/16 of total RAM with a cap of 1GB; values are specified in bytes"
+msgid "Cache autotuning is **enabled by default** and controlled via the following variables:"
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:102
-msgid "`matrix_synapse_cache_autotuning_min_cache_ttl` — defaults to `30s`"
+msgid "`matrix_synapse_cache_autotuning_max_cache_memory_usage` — defaults to 1/8 of total RAM with a cap of 2GB; values are specified in bytes"
+msgstr ""
+
+#: ../../../docs/maintenance-synapse.md:103
+msgid "`matrix_synapse_cache_autotuning_target_cache_memory_usage` — defaults to 1/16 of total RAM with a cap of 1GB; values are specified in bytes"
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:104
-msgid "You can **learn more about cache-autotuning and the global cache factor settings** in the [Synapse's documentation on caches and associated values](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#caches-and-associated-values)."
+msgid "`matrix_synapse_cache_autotuning_min_cache_ttl` — defaults to `30s`"
 msgstr ""

 #: ../../../docs/maintenance-synapse.md:106
+msgid "You can **learn more about cache-autotuning and the global cache factor settings** in the [Synapse's documentation on caches and associated values](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#caches-and-associated-values)."
+msgstr ""
+
+#: ../../../docs/maintenance-synapse.md:108
 msgid "To **disable cache auto-tuning**, unset all values:"
 msgstr ""

-#: ../../../docs/maintenance-synapse.md:114
+#: ../../../docs/maintenance-synapse.md:116
 msgid "Users who wish to lower Synapse's RAM footprint should look into lowering the global cache factor and tweaking the autotune variables (or disabling auto-tuning). If your cache factor is too low for a given auto tune setting your caches will not reach autotune thresholds and autotune won't be able to do its job. Therefore, when auto-tuning is enabled (which it is by default), it's recommended to have your cache factor be large."
 msgstr ""

-#: ../../../docs/maintenance-synapse.md:116
+#: ../../../docs/maintenance-synapse.md:118
 msgid "See also [How do I optimize this setup for a low-power server?](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -73,7 +73,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:39
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:41
@@ -81,45 +81,69 @@ msgid "**Note**: for details about `just` commands, take a look at: [Running `ju
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:43
-msgid "Re-run the playbook setup"
+msgid "Acknowledge breaking changes if any"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:45
-msgid "After updating the Ansible roles, then re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:"
+msgid "The playbook uses a migration validation system that ensures you are aware of breaking changes before they'll affect your deployment. If there is one, you are required to acknowledge each breaking change."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:47
+msgid "Whenever a breaking change is introduced, the playbook will:"
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:49
+msgid "bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:51
-msgid "If you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with the `setup-all` tag as below:"
+msgid "fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries"
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:53
+msgid "After reviewing and adapting your setup, update the variable to the new version."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:55
+msgid "Re-run the playbook setup"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:57
-msgid "**Notes**:"
-msgstr ""
-
-#: ../../../docs/maintenance-upgrading-services.md:59
-msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account, if any."
-msgstr ""
-
-#: ../../../docs/maintenance-upgrading-services.md:61
-msgid "Our estimation is that running `--tags=install-all,start` is approximately from **2 to 5 times faster** than running `setup-all,ensure-matrix-users-created,start`. See [this entry](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) on `CHANGELOG.md` for more information."
+msgid "After updating the Ansible roles and the variable for the validation system when necessary, re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:63
-msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`. Note these shortcuts run the `ensure-matrix-users-created` tag too."
-msgstr ""
-
-#: ../../../docs/maintenance-upgrading-services.md:65
-msgid "See [this page on the playbook tags](playbook-tags.md) for more information about those tags."
-msgstr ""
-
-#: ../../../docs/maintenance-upgrading-services.md:67
-msgid "PostgreSQL major version upgrade"
+msgid "If you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with the `setup-all` tag as below:"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:69
-msgid "Major version upgrades to the internal PostgreSQL database are not done automatically. Upgrades must be performed manually."
+msgid "**Notes**:"
 msgstr ""

 #: ../../../docs/maintenance-upgrading-services.md:71
+msgid "The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account, if any."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:73
+msgid "Our estimation is that running `--tags=install-all,start` is approximately from **2 to 5 times faster** than running `setup-all,ensure-matrix-users-created,start`. See [this entry](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) on `CHANGELOG.md` for more information."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:75
+msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`. Note these shortcuts run the `ensure-matrix-users-created` tag too."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:77
+msgid "See [this page on the playbook tags](playbook-tags.md) for more information about those tags."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:79
+msgid "PostgreSQL major version upgrade"
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:81
+msgid "Major version upgrades to the internal PostgreSQL database are not done automatically. Upgrades must be performed manually."
+msgstr ""
+
+#: ../../../docs/maintenance-upgrading-services.md:83
 msgid "For details about upgrading it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-04-15 09:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -125,33 +125,13 @@ msgid "`443/tcp` and `443/udp`: HTTPS webserver"
 msgstr ""

 #: ../../../docs/prerequisites.md:60
-msgid "`3478/tcp`: STUN/TURN over TCP (used by [coturn](./configuring-playbook-turn.md))"
-msgstr ""
-
-#: ../../../docs/prerequisites.md:61
-msgid "`3478/udp`: STUN/TURN over UDP (used by [coturn](./configuring-playbook-turn.md))"
-msgstr ""
-
-#: ../../../docs/prerequisites.md:62
-msgid "`5349/tcp`: TURN over TCP (used by [coturn](./configuring-playbook-turn.md))"
-msgstr ""
-
-#: ../../../docs/prerequisites.md:63
-msgid "`5349/udp`: TURN over UDP (used by [coturn](./configuring-playbook-turn.md))"
-msgstr ""
-
-#: ../../../docs/prerequisites.md:64
 msgid "`8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**."
 msgstr ""

-#: ../../../docs/prerequisites.md:65
-msgid "the range `49152-49172/udp`: TURN over UDP"
-msgstr ""
-
-#: ../../../docs/prerequisites.md:66
+#: ../../../docs/prerequisites.md:61
 msgid "potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that."
 msgstr ""

-#: ../../../docs/prerequisites.md:70
+#: ../../../docs/prerequisites.md:65
 msgid "[▶️](configuring-dns.md) When ready to proceed, continue with [Configuring DNS](configuring-dns.md)."
 msgstr ""
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-13 10:32+0000\n"
+"POT-Creation-Date: 2026-05-07 11:16+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -289,7 +289,7 @@ msgid "or: a combination of `git pull` and `just roles` (or `make roles` if you
 msgstr ""

 #: ../../../docs/quick-start.md:122
-msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
+msgid "If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly after updating the playbook: `git pull; rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`"
 msgstr ""

 #: ../../../docs/quick-start.md:124
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 [tools]
-prek = "0.3.2"
+prek = "0.3.13"

 [settings]
 yes = true
@@ -4,20 +4,20 @@
  version: v1.0.0-6
  name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.4-2.1.4-0
+  version: v1.4.4-2.1.4-1
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.11.1-1
+  version: v4.11.1-2
  name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-4
+  version: v0.4.2-5
  name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
-  version: v4.9.0-1
+  version: v4.9.0-2
  name: coturn
  activation_prefix: coturn_
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
-  version: v4.0.0-2
+  version: v4.0.0-3
  name: ddclient
  activation_prefix: ddclient_
 - src: git+https://github.com/geerlingguy/ansible-role-docker
@@ -27,25 +27,25 @@
  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
  name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.1-6
+  version: v2.7.2-1
  name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.99.1-r0-2-0
+  version: v4.99.1-r0-2-1
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-9
+  version: v11.6.5-10
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
-  version: v0.5.1-3
+  version: v0.5.1-4
  name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10888-0
+  version: v10888-1
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.10.1-0
+  version: v1.11.0-2
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.21.0-1
+  version: v2.22.0-1
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -57,25 +57,25 @@
  version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.3-4
+  version: v18.3-5
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v18-2
+  version: v18-3
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.11.2-0
+  version: v3.11.3-1
  name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-nginxlog-exporter.git
-  version: v1.10.0-2
+  version: v1.10.0-3
  name: prometheus_nginxlog_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.10.2-0
+  version: v1.10.2-1
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.19.1-3
+  version: v0.19.1-4
  name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.14.0-0
+  version: v1.15.3-0
  name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.5.0-0
@@ -87,11 +87,11 @@
  version: v1.1.0-1
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.13-0
+  version: v3.7.0-0
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-5
+  version: v2.10.0-7
  name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-3
+  version: v9.0.4-0
  name: valkey
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true

 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.4.15
+matrix_alertmanager_receiver_version: 2026.5.6

 matrix_alertmanager_receiver_scheme: https

@@ -32,7 +32,6 @@ matrix_alertmanager_receiver_container_src_path: "{{ matrix_alertmanager_receive

 matrix_alertmanager_receiver_container_image: "{{ matrix_alertmanager_receiver_container_image_registry_prefix }}metio/matrix-alertmanager-receiver:{{ matrix_alertmanager_receiver_container_image_tag }}"
 matrix_alertmanager_receiver_container_image_tag: "{{ matrix_alertmanager_receiver_version }}"
-matrix_alertmanager_receiver_container_image_force_pull: "{{ matrix_alertmanager_receiver_container_image.endswith(':main') }}"
 matrix_alertmanager_receiver_container_image_registry_prefix: "{{ matrix_alertmanager_receiver_container_image_registry_prefix_upstream }}"
 matrix_alertmanager_receiver_container_image_registry_prefix_upstream: "{{ matrix_alertmanager_receiver_container_image_registry_prefix_upstream_default }}"
 matrix_alertmanager_receiver_container_image_registry_prefix_upstream_default: "docker.io/"
@@ -42,11 +42,9 @@
  register: matrix_alertmanager_receiver_support_files_result

 - name: Ensure matrix-alertmanager-receiver container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_alertmanager_receiver_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_alertmanager_receiver_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_alertmanager_receiver_container_image_force_pull }}"
+    pull: always
  when: "not matrix_alertmanager_receiver_container_image_self_build | bool"
  register: matrix_alertmanager_receiver_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -24,6 +24,7 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_alertmanager_receiver_container_image_name_prefix', 'new': 'matrix_alertmanager_receiver_container_image_registry_prefix'}
+    - {'old': 'matrix_alertmanager_receiver_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_auto', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
    - {'old': 'matrix_alertmanager_receiver_config_templating_computed_values_custom', 'new': '<superseded by logic in the firing or resolved template; see https://github.com/metio/matrix-alertmanager-receiver/pull/94'}
@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true

 # renovate: datasource=docker depName=depName=ghcr.io/the-draupnir-project/draupnir
-matrix_appservice_draupnir_for_all_version: "v3.0.0"
+matrix_appservice_draupnir_for_all_version: "v3.1.0"

 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -22,7 +22,6 @@ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
 matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "the-draupnir-project/draupnir"
-matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"

 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"
 matrix_appservice_draupnir_for_all_config_path: "{{ matrix_appservice_draupnir_for_all_base_path }}/config"
@@ -47,14 +46,46 @@ matrix_appservice_draupnir_for_all_systemd_required_services_list_custom: []
 # List of systemd services that matrix-bot-draupnir.service wants
 matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []

+# Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
+matrix_appservice_draupnir_for_all_rolling_tag: "{{ not (matrix_appservice_draupnir_for_all_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is a classified as a moving tag.
+matrix_appservice_draupnir_for_all_force_restart: "{{
+  matrix_bot_draupnir_enabled | bool and
+  matrix_appservice_draupnir_for_all_enabled | bool and
+  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
+  matrix_appservice_draupnir_for_all_rolling_tag | bool
+}}"
+
+# This controls whether Zero Touch Deployment is enabled.
+# When enabled, the playbook validates the related settings and only renders
+# the configuration values Draupnir expects for this mode.
+# This prevents invalid manual combinations from being passed through, since
+# Draupnir requires `matrix_appservice_draupnir_for_all_config_adminRoom` to be
+# unset and `matrix_appservice_draupnir_for_all_config_initialManager` to be a
+# valid user ID.
+# Zero Touch Deployment is recommended for all new deployments.
+# Deployments that are exempt from this recommendation are assumed to be
+# advanced setups with specific needs that require the flexibility of
+# non-zero-touch-deployment mode.
+# Note that enabling this on an existing deployment will cause the bot to recreate the admin room.
+# Manual policy migration has to be done in that case so as not to break when access controls return to working order.
+matrix_appservice_draupnir_for_all_zero_touch_deploy: false
+
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
-# Note: Draupnir is fairly verbose - expect a lot of messages from it.
+# Appservice mode, unlike bot mode, is not verbose in the admin room.
 # This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming

+# This controls the MXID of who is invited to the admin room on its creation when using Zero Touch Deployment.
+# This value is mutually exclusive with matrix_appservice_draupnir_for_all_config_adminRoom
+# and the bot will crash if you attempt to set both at the same time.
+matrix_appservice_draupnir_for_all_config_initialManager: ""  # noqa var-naming
+
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -26,11 +26,9 @@
  when: "item.when | bool"

 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_draupnir_for_all_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_draupnir_for_all_container_image_force_pull }}"
+    pull: always
  when: "not matrix_appservice_draupnir_for_all_container_image_self_build | bool"
  register: matrix_appservice_draupnir_for_all_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -49,15 +47,18 @@
  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"

 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
+  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
+  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
+  community.docker.docker_image_build:
    name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: build
-    force_source: "{{ matrix_appservice_draupnir_for_all_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_appservice_draupnir_for_all_git_pull_results.changed | bool else 'never' }}"
  when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
+  register: matrix_appservice_draupnir_for_all_container_image_build_result

 - name: Ensure matrix-appservice-draupnir-for-all appservice config installed
  ansible.builtin.copy:
@@ -100,6 +101,16 @@
    mode: '0644'
  register: matrix_appservice_draupnir_for_all_systemd_service_result

+# matrix-appservice-draupnir-for-all and matrix-bot-draupnir share the
+# same upstream container image. When both are enabled and force-pull is
+# on, the second role to run sees the image as already up-to-date (the
+# first role just pulled it), so its pull_result.changed is false and
+# conditional restart would skip it. To avoid that, we also treat
+# force-pull itself as a restart trigger for this role. The downside is
+# that both Draupnir services restart on every run when force-pull is
+# enabled (e.g. with rolling tags like `latest` or `main`), even when the
+# upstream image has not moved. That is wasteful but acceptable.
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir for All needs a restart
  ansible.builtin.set_fact:
    matrix_appservice_draupnir_for_all_restart_necessary: >-
@@ -110,6 +121,8 @@
        or matrix_appservice_draupnir_for_all_registration_config_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_systemd_service_result.changed | default(false)
        or matrix_appservice_draupnir_for_all_container_image_pull_result.changed | default(false)
+        or matrix_appservice_draupnir_for_all_container_image_build_result.changed | default(false)
+        or matrix_appservice_draupnir_for_all_force_restart | bool
      }}

 - name: Ensure matrix-appservice-draupnir-for-all.service restarted, if necessary
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
@@ -23,11 +23,21 @@
    - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream_default', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
+    - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}

- name: Fail if required matrix-bot-draupnir variables are undefined
+- name: Fail if required matrix-appservice-draupnir-for-all variables are undefined
  ansible.builtin.fail:
-    msg: "The `{{ item }}` variable must be defined and have a non-null value."
+    msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
  with_items:
-    - "matrix_appservice_draupnir_for_all_config_adminRoom"
-    - "matrix_bot_draupnir_container_network"
-  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
+    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_container_network', when: true}
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
+
+- name: Fail if inappropriate variables are defined
+  ansible.builtin.fail:
+    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
+  with_items:
+    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
@@ -17,9 +17,16 @@ db:
  engine: "postgres"
  connectionString: "{{ matrix_appservice_draupnir_for_all_database_connection_string }}"

+{% if not matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
 adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}
+{% endif %}
+
+{% if matrix_appservice_draupnir_for_all_zero_touch_deploy %}
+# The initial manager to invite if the admin room has to be created.
+initialManager: {{ matrix_appservice_draupnir_for_all_config_initialManager | to_json }}
+{% endif %}

 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
@@ -37,6 +44,5 @@ maxDraupnirsPerUser: 1
 # Defaults to false when omitted.
 allowSelfServiceProvisioning: false

-
 roomStateBackingStore:
  enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}
@@ -22,12 +22,11 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"

 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.15.0
+matrix_authentication_service_version: 1.16.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_registry_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
-matrix_authentication_service_container_image_force_pull: "{{ matrix_authentication_service_container_image.endswith(':latest') }}"

 matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
 matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
@@ -84,11 +84,9 @@
  register: matrix_authentication_service_support_files_result

 - name: Ensure Matrix Authentication Service container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_authentication_service_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_authentication_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_container_image_force_pull }}"
+    pull: always
  when: "not matrix_authentication_service_container_image_self_build | bool"
  register: matrix_authentication_service_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -53,3 +53,4 @@
    - {'old': 'matrix_authentication_service_syn2mas_container_image_self_build', 'new': '<removed>'}
    - {'old': 'matrix_authentication_service_syn2mas_process_extra_arguments', 'new': 'matrix_authentication_service_syn2mas_command_extra_options or matrix_authentication_service_syn2mas_subcommand_extra_options'}
    - {'old': 'matrix_authentication_service_syn2mas_dry_run', 'new': 'matrix_authentication_service_syn2mas_migrate_dry_run'}
+    - {'old': 'matrix_authentication_service_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
@@ -84,7 +84,7 @@ matrix_monitoring_container_network: matrix-monitoring
 matrix_homeserver_enabled: true

 # This will contain the homeserver implementation that is in use.
-# Valid values: synapse, dendrite, conduit, continuwuity
+# Valid values: synapse, dendrite, conduit, continuwuity, tuwunel
 #
 # By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
 #
@@ -13,7 +13,7 @@
 - name: Fail if invalid homeserver implementation
  ansible.builtin.fail:
    msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
-  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity']"
+  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity', 'tuwunel']"

 - name: (Deprecation) Catch and report renamed settings
  ansible.builtin.fail:
@@ -17,12 +17,11 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"

 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.18.0
+matrix_bot_baibot_version: v1.19.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_baibot_container_image_force_pull: "{{ matrix_bot_baibot_container_image.endswith(':latest') }}"

 matrix_bot_baibot_base_path: "{{ matrix_base_data_path }}/baibot"
 matrix_bot_baibot_config_path: "{{ matrix_bot_baibot_base_path }}/config"
@@ -38,11 +38,9 @@
  register: matrix_bot_baibot_env_result

 - name: Ensure baibot container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_baibot_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_baibot_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_baibot_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_baibot_container_image_self_build | bool"
  register: matrix_bot_baibot_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -62,15 +60,13 @@
      register: matrix_bot_baibot_git_pull_results

    - name: Ensure baibot container image is built
-      community.docker.docker_image:
+      community.docker.docker_image_build:
        name: "{{ matrix_bot_baibot_container_image }}"
-        source: build
-        force_source: "{{ matrix_bot_baibot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_baibot_git_pull_results.changed }}"
-        build:
-          dockerfile: Dockerfile
-          path: "{{ matrix_bot_baibot_container_src_files_path }}"
-          pull: true
+        dockerfile: Dockerfile
+        path: "{{ matrix_bot_baibot_container_src_files_path }}"
+        pull: true
+        rebuild: "{{ 'always' if matrix_bot_baibot_git_pull_results.changed | bool else 'never' }}"
+      register: matrix_bot_baibot_container_image_build_result

 - name: Ensure baibot container network is created
  community.general.docker_network:
@@ -94,4 +90,5 @@
        or matrix_bot_baibot_env_result.changed | default(false)
        or matrix_bot_baibot_systemd_service_result.changed | default(false)
        or matrix_bot_baibot_container_image_pull_result.changed | default(false)
+        or matrix_bot_baibot_container_image_build_result.changed | default(false)
      }}
@@ -91,3 +91,4 @@
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_bot_baibot_container_image_name_prefix', 'new': 'matrix_bot_baibot_container_image_registry_prefix'}
+    - {'old': 'matrix_bot_baibot_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
@@ -40,7 +40,6 @@ matrix_bot_buscarron_container_image: "{{ matrix_bot_buscarron_container_image_r
 matrix_bot_buscarron_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else matrix_bot_buscarron_container_image_registry_prefix_upstream }}"
 matrix_bot_buscarron_container_image_registry_prefix_upstream: "{{ matrix_bot_buscarron_container_image_registry_prefix_upstream_default }}"
 matrix_bot_buscarron_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_buscarron_container_image_force_pull: "{{ matrix_bot_buscarron_container_image.endswith(':latest') }}"

 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_bot_buscarron_container_network: matrix-bot-buscarron
@@ -137,19 +136,15 @@ matrix_bot_buscarron_database_sslmode: disable

 matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode={{ matrix_bot_buscarron_database_sslmode }}'

-matrix_bot_buscarron_storage_database: "{{
-	{
-		'sqlite': matrix_bot_buscarron_sqlite_database_path_in_container,
-		'postgres': matrix_bot_buscarron_database_connection_string,
-	}[matrix_bot_buscarron_database_engine]
-}}"
+matrix_bot_buscarron_storage_database: "{{ {
+    'sqlite': matrix_bot_buscarron_sqlite_database_path_in_container,
+    'postgres': matrix_bot_buscarron_database_connection_string,
+}[matrix_bot_buscarron_database_engine] }}"

-matrix_bot_buscarron_database_dialect: "{{
-  {
+matrix_bot_buscarron_database_dialect: "{{ {
    'sqlite': 'sqlite3',
    'postgres': 'postgres',
-  }[matrix_bot_buscarron_database_engine]
-}}"
+}[matrix_bot_buscarron_database_engine] }}"


 # The bot's username. This user needs to be created manually beforehand.
@@ -61,11 +61,9 @@
  register: matrix_bot_buscarron_support_files_result

 - name: Ensure Buscarron image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_buscarron_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_buscarron_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_buscarron_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_buscarron_container_image_self_build | bool"
  register: matrix_bot_buscarron_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -84,16 +82,14 @@
  when: "matrix_bot_buscarron_container_image_self_build | bool"

 - name: Ensure Buscarron image is built
-  community.docker.docker_image:
+  community.docker.docker_image_build:
    name: "{{ matrix_bot_buscarron_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_buscarron_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_buscarron_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_bot_buscarron_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_bot_buscarron_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_bot_buscarron_git_pull_results.changed | bool else 'never' }}"
  when: "matrix_bot_buscarron_container_image_self_build | bool"
+  register: matrix_bot_buscarron_container_image_build_result

 - name: Ensure matrix-bot-buscarron.service installed
  ansible.builtin.template:
@@ -110,6 +106,7 @@
        or matrix_bot_buscarron_support_files_result.changed | default(false)
        or matrix_bot_buscarron_systemd_service_result.changed | default(false)
        or matrix_bot_buscarron_container_image_pull_result.changed | default(false)
+        or matrix_bot_buscarron_container_image_build_result.changed | default(false)
      }}

 - name: Ensure Buscarron container network is created
@@ -19,6 +19,7 @@
    - {'old': 'matrix_bot_buscarron_container_image_name_prefix', 'new': 'matrix_bot_buscarron_container_image_registry_prefix'}
    - {'old': 'matrix_bot_buscarron_docker_image', 'new': 'matrix_bot_buscarron_container_image'}
    - {'old': 'matrix_bot_buscarron_docker_image_force_pull', 'new': 'matrix_bot_buscarron_container_image_force_pull'}
+    - {'old': 'matrix_bot_buscarron_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix', 'new': 'matrix_bot_buscarron_container_image_registry_prefix'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_buscarron_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_bot_buscarron_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_buscarron_container_image_registry_prefix_upstream_default'}
@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true

 # renovate: datasource=docker depName=depName=ghcr.io/the-draupnir-project/draupnir
-matrix_bot_draupnir_version: "v3.0.0"
+matrix_bot_draupnir_version: "v3.1.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -22,13 +22,24 @@ matrix_bot_draupnir_container_image_registry_namespace_identifier: "the-draupnir
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_draupnir_container_image_force_pull: "{{ matrix_bot_draupnir_container_image.endswith(':latest') }}"

 matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
 matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_container_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"

+# Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
+matrix_bot_draupnir_rolling_tag: "{{ not (matrix_bot_draupnir_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is a classified as a moving tag.
+matrix_bot_draupnir_force_restart: "{{
+  matrix_bot_draupnir_enabled | bool and
+  matrix_appservice_draupnir_for_all_enabled | bool and
+  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
+  matrix_bot_draupnir_rolling_tag | bool
+}}"
+
 matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting or matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"  # noqa var-naming

 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
@@ -104,12 +115,36 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: false

-# The room ID where people can use the bot. The bot has no access controls, so
-# anyone in this room can use the bot - secure your room!
+# This controls whether Zero Touch Deployment is enabled.
+# When enabled, the playbook validates the settings and only
+# renders the configuration values Draupnir expects.
+# This prevents invalid manual combinations from being passed through, since
+# Draupnir requires `matrix_bot_draupnir_config_managementRoom` to be unset and
+# `matrix_bot_draupnir_config_initialManager` to be a valid MXID.
+# Zero Touch Deployment is recommended for all new deployments.
+# Deployments that are exempt from this recommendation are assumed to be
+# advanced setups with specific needs for non-zero-touch mode.
+# Note that enabling this on an existing deployment will cause the bot to
+# recreate the management room.
+# Recreating the management room will cause all protections to reset their settings to defaults
+# and cause the recreation of secondary rooms like notification rooms. All bot memory will also be wiped.
+matrix_bot_draupnir_zero_touch_deploy: false
+
+# The management room used for administration when Zero Touch
+# Deployment is disabled.
+# The bot has no access controls, so anyone in this room can use it - secure
+# your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming

+# The MXID invited as the initial manager when Zero Touch Deployment creates the
+# management room.
+# This value is mutually exclusive with
+# `matrix_bot_draupnir_config_managementRoom`, and the bot will crash if you
+# attempt to set both at the same time.
+matrix_bot_draupnir_config_initialManager: ""  # noqa var-naming
+
 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
 matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming
@@ -38,11 +38,9 @@
  register: matrix_bot_draupnir_support_files_result

 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_draupnir_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_draupnir_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_draupnir_container_image_self_build | bool"
  register: matrix_bot_draupnir_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -61,15 +59,18 @@
  when: "matrix_bot_draupnir_container_image_self_build | bool"

 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
+  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
+  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
+  community.docker.docker_image_build:
    name: "{{ matrix_bot_draupnir_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_bot_draupnir_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_bot_draupnir_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_bot_draupnir_git_pull_results.changed | bool else 'never' }}"
  when: "matrix_bot_draupnir_container_image_self_build | bool"
+  register: matrix_bot_draupnir_container_image_build_result

 - name: Ensure matrix-bot-draupnir config installed
  ansible.builtin.copy:
@@ -94,6 +95,16 @@
    mode: '0644'
  register: matrix_bot_draupnir_systemd_service_result

+# matrix-bot-draupnir and matrix-appservice-draupnir-for-all share the
+# same upstream container image. When both are enabled and force-pull is
+# on, the second role to run sees the image as already up-to-date (the
+# first role just pulled it), so its pull_result.changed is false and
+# conditional restart would skip it. To avoid that, we also treat
+# force-pull itself as a restart trigger for this role. The downside is
+# that both Draupnir services restart on every run when force-pull is
+# enabled (e.g. with rolling tags like `latest` or `main`), even when the
+# upstream image has not moved. That is wasteful but acceptable.
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir needs a restart
  ansible.builtin.set_fact:
    matrix_bot_draupnir_restart_necessary: >-
@@ -103,6 +114,8 @@
        or matrix_bot_draupnir_config_result.changed | default(false)
        or matrix_bot_draupnir_systemd_service_result.changed | default(false)
        or matrix_bot_draupnir_container_image_pull_result.changed | default(false)
+        or matrix_bot_draupnir_container_image_build_result.changed | default(false)
+        or matrix_bot_draupnir_force_restart | bool
      }}

 - name: Ensure matrix-bot-draupnir.service restarted, if necessary
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
-# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -37,6 +37,7 @@
    - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_bot_draupnir_docker_src_files_path', 'new': 'matrix_bot_draupnir_container_src_files_path'}
+    - {'old': 'matrix_bot_draupnir_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}

 - name: Fail if required matrix-bot-draupnir variables are undefined
  ansible.builtin.fail:
@@ -44,7 +45,8 @@
  with_items:
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use and not matrix_bot_draupnir_login_native }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_config_experimentalRustCrypto }}"}
-    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
+    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
+    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
    - {'name': 'matrix_bot_draupnir_container_network', when: true}
    - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
    - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
@@ -63,6 +65,8 @@
  with_items:
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
+    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
+    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use
@@ -63,6 +63,7 @@ autojoinOnlyIfManager: true
 # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
 recordIgnoredInvites: false

+{% if not matrix_bot_draupnir_zero_touch_deploy %}
 # The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
 #
 # Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
@@ -72,6 +73,13 @@ recordIgnoredInvites: false
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
+{% endif %}
+
+{% if matrix_bot_draupnir_zero_touch_deploy %}
+# The initial manager to invite if the management room has to be created.
+# Leave this commented out when using a pre-existing management room.
+initialManager: {{ matrix_bot_draupnir_config_initialManager | to_json }}
+{% endif %}

 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
@@ -36,7 +36,6 @@ matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store"

 matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}"
 matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}"
-matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}"
 matrix_bot_go_neb_container_image_registry_prefix: "{{ matrix_bot_go_neb_container_image_registry_prefix_upstream }}"
 matrix_bot_go_neb_container_image_registry_prefix_upstream: "{{ matrix_bot_go_neb_container_image_registry_prefix_upstream_default }}"
 matrix_bot_go_neb_container_image_registry_prefix_upstream_default: "docker.io/"
@@ -159,11 +158,9 @@ matrix_bot_go_neb_database_engine: 'sqlite3'
 matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db"
 matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db"

-matrix_bot_go_neb_storage_database: "{{
-	{
-		'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'),
-	}[matrix_bot_go_neb_database_engine]
-}}"
+matrix_bot_go_neb_storage_database: "{{ {
+    'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'),
+}[matrix_bot_go_neb_database_engine] }}"

 # The bot's username(s). These users need to be created manually beforehand.
 # The access tokens that the bot uses to authenticate.
@@ -45,11 +45,9 @@
  register: matrix_bot_go_neb_support_files_result

 - name: Ensure go-neb container image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_go_neb_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}"
+    pull: always
  register: matrix_bot_go_neb_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
@@ -16,3 +16,11 @@
    msg: >-
      You need at least 1 service in the matrix_bot_go_neb_services block.
  when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined
+
+- name: (Deprecation) Catch and report renamed matrix-bot-go-neb variables
+  ansible.builtin.fail:
+    msg: >-
+      The variable `{{ item.old }}` is deprecated. Please use `{{ item.new }}` instead.
+  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
+  with_items:
+    - {'old': 'matrix_bot_go_neb_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
@@ -35,7 +35,6 @@ matrix_bot_honoroit_container_image: "{{ matrix_bot_honoroit_container_image_reg
 matrix_bot_honoroit_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_container_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_container_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_container_image_registry_prefix_upstream_default }}"
 matrix_bot_honoroit_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_honoroit_container_image_force_pull: "{{ matrix_bot_honoroit_container_image.endswith(':latest') }}"

 matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit"
 matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config"
@@ -115,19 +114,15 @@ matrix_bot_honoroit_database_sslmode: disable

 matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode={{ matrix_bot_honoroit_database_sslmode }}'

-matrix_bot_honoroit_storage_database: "{{
-	{
-		'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container,
-		'postgres': matrix_bot_honoroit_database_connection_string,
-	}[matrix_bot_honoroit_database_engine]
-}}"
+matrix_bot_honoroit_storage_database: "{{ {
+    'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container,
+    'postgres': matrix_bot_honoroit_database_connection_string,
+}[matrix_bot_honoroit_database_engine] }}"

-matrix_bot_honoroit_database_dialect: "{{
-  {
+matrix_bot_honoroit_database_dialect: "{{ {
    'sqlite': 'sqlite3',
    'postgres': 'postgres',
-  }[matrix_bot_honoroit_database_engine]
-}}"
+}[matrix_bot_honoroit_database_engine] }}"


 # The bot's username. This user needs to be created manually beforehand.
@@ -63,11 +63,9 @@
  register: matrix_bot_honoroit_support_files_result

 - name: Ensure Honoroit image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_honoroit_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_honoroit_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_honoroit_container_image_self_build | bool"
  register: matrix_bot_honoroit_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -86,16 +84,14 @@
  when: "matrix_bot_honoroit_container_image_self_build | bool"

 - name: Ensure Honoroit image is built
-  community.docker.docker_image:
+  community.docker.docker_image_build:
    name: "{{ matrix_bot_honoroit_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_container_image_self_build.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_bot_honoroit_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_bot_honoroit_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_bot_honoroit_git_pull_results.changed | bool else 'never' }}"
  when: "matrix_bot_honoroit_container_image_self_build | bool"
+  register: matrix_bot_honoroit_container_image_build_result

 - name: Ensure Honoroit container network is created
  community.general.docker_network:
@@ -119,6 +115,7 @@
        or matrix_bot_honoroit_support_files_result.changed | default(false)
        or matrix_bot_honoroit_systemd_service_result.changed | default(false)
        or matrix_bot_honoroit_container_image_pull_result.changed | default(false)
+        or matrix_bot_honoroit_container_image_build_result.changed | default(false)
      }}

 - name: Ensure matrix-bot-honoroit.service restarted, if necessary
@@ -16,6 +16,7 @@
    - {'old': 'matrix_bot_honoroit_container_image_name_prefix', 'new': 'matrix_bot_honoroit_container_image_registry_prefix'}
    - {'old': 'matrix_bot_honoroit_docker_image', 'new': 'matrix_bot_honoroit_container_image'}
    - {'old': 'matrix_bot_honoroit_docker_image_force_pull', 'new': 'matrix_bot_honoroit_container_image_force_pull'}
+    - {'old': 'matrix_bot_honoroit_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_bot_honoroit_docker_image_registry_prefix', 'new': 'matrix_bot_honoroit_container_image_registry_prefix'}
    - {'old': 'matrix_bot_honoroit_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_honoroit_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_bot_honoroit_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_honoroit_container_image_registry_prefix_upstream_default'}
@@ -26,7 +26,6 @@ matrix_bot_matrix_registration_bot_container_image: "{{ matrix_bot_matrix_regist
 matrix_bot_matrix_registration_bot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_matrix_registration_bot_container_image_self_build else matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream }}"
 matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream: "{{ matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream_default }}"
 matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream_default: "docker.io/"
-matrix_bot_matrix_registration_bot_container_image_force_pull: "{{ matrix_bot_matrix_registration_bot_container_image.endswith(':latest') }}"

 matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot"
 matrix_bot_matrix_registration_bot_config_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/config"
@@ -31,11 +31,9 @@
  register: matrix_bot_matrix_registration_bot_config_result

 - name: Ensure matrix-registration-bot image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_matrix_registration_bot_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_matrix_registration_bot_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_registration_bot_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_matrix_registration_bot_container_image_self_build | bool"
  register: matrix_bot_matrix_registration_bot_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -55,15 +53,13 @@
      register: matrix_bot_matrix_registration_bot_git_pull_results

    - name: Ensure matrix-registration-bot image is built
-      community.docker.docker_image:
+      community.docker.docker_image_build:
        name: "{{ matrix_bot_matrix_registration_bot_container_image }}"
-        source: build
-        force_source: "{{ matrix_bot_matrix_registration_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_registration_bot_git_pull_results.changed }}"
-        build:
-          dockerfile: Dockerfile
-          path: "{{ matrix_bot_matrix_registration_bot_container_src_files_path }}"
-          pull: true
+        dockerfile: Dockerfile
+        path: "{{ matrix_bot_matrix_registration_bot_container_src_files_path }}"
+        pull: true
+        rebuild: "{{ 'always' if matrix_bot_matrix_registration_bot_git_pull_results.changed | bool else 'never' }}"
+      register: matrix_bot_matrix_registration_bot_container_image_build_result

 - name: Ensure matrix-registration-bot container network is created
  community.general.docker_network:
@@ -86,4 +82,5 @@
        matrix_bot_matrix_registration_bot_config_result.changed | default(false)
        or matrix_bot_matrix_registration_bot_systemd_service_result.changed | default(false)
        or matrix_bot_matrix_registration_bot_container_image_pull_result.changed | default(false)
+        or matrix_bot_matrix_registration_bot_container_image_build_result.changed | default(false)
      }}
@@ -16,7 +16,8 @@
    - {'old': 'matrix_bot_matrix_registration_bot_bot_access_token', 'new': '<removed>'}
    - {'old': 'matrix_bot_matrix_registration_bot_matrix_homeserver_url', 'new': 'matrix_bot_matrix_registration_bot_api_base_url'}
    - {'old': 'matrix_bot_matrix_registration_bot_docker_image', 'new': 'matrix_bot_matrix_registration_bot_container_image'}
-    - {'old': 'matrix_bot_matrix_registration_bot_docker_image_force_pull', 'new': 'matrix_bot_matrix_registration_bot_container_image_force_pull'}
+    - {'old': 'matrix_bot_matrix_registration_bot_docker_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
+    - {'old': 'matrix_bot_matrix_registration_bot_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_bot_matrix_registration_bot_docker_image_registry_prefix', 'new': 'matrix_bot_matrix_registration_bot_container_image_registry_prefix'}
    - {'old': 'matrix_bot_matrix_registration_bot_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_bot_matrix_registration_bot_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_matrix_registration_bot_container_image_registry_prefix_upstream_default'}
@@ -25,7 +25,6 @@ matrix_bot_matrix_reminder_bot_container_image: "{{ matrix_bot_matrix_reminder_b
 matrix_bot_matrix_reminder_bot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_matrix_reminder_bot_container_image_self_build else matrix_bot_matrix_reminder_bot_container_image_registry_prefix_upstream }}"
 matrix_bot_matrix_reminder_bot_container_image_registry_prefix_upstream: "{{ matrix_bot_matrix_reminder_bot_container_image_registry_prefix_upstream_default }}"
 matrix_bot_matrix_reminder_bot_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_matrix_reminder_bot_container_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_container_image.endswith(':latest') }}"

 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
 matrix_bot_matrix_reminder_bot_config_path: "{{ matrix_bot_matrix_reminder_bot_base_path }}/config"
@@ -72,12 +71,10 @@ matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot'

 matrix_bot_matrix_reminder_bot_database_connection_string: 'postgres://{{ matrix_bot_matrix_reminder_bot_database_username }}:{{ matrix_bot_matrix_reminder_bot_database_password }}@{{ matrix_bot_matrix_reminder_bot_database_hostname }}:{{ matrix_bot_matrix_reminder_bot_database_port }}/{{ matrix_bot_matrix_reminder_bot_database_name }}'

-matrix_bot_matrix_reminder_bot_storage_database: "{{
-	{
-		'sqlite': ('sqlite://' + matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container),
-		'postgres': matrix_bot_matrix_reminder_bot_database_connection_string,
-	}[matrix_bot_matrix_reminder_bot_database_engine]
-}}"
+matrix_bot_matrix_reminder_bot_storage_database: "{{ {
+    'sqlite': ('sqlite://' + matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container),
+    'postgres': matrix_bot_matrix_reminder_bot_database_connection_string,
+}[matrix_bot_matrix_reminder_bot_database_engine] }}"


 # The bot's username. This user needs to be created manually beforehand.
@@ -53,11 +53,9 @@
  when: "item.when | bool"

 - name: Ensure matrix-reminder-bot image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_matrix_reminder_bot_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_matrix_reminder_bot_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_matrix_reminder_bot_container_image_self_build | bool"
  register: matrix_bot_matrix_reminder_bot_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -76,16 +74,14 @@
  when: "matrix_bot_matrix_reminder_bot_container_image_self_build | bool"

 - name: Ensure matrix-reminder-bot image is built
-  community.docker.docker_image:
+  community.docker.docker_image_build:
    name: "{{ matrix_bot_matrix_reminder_bot_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_matrix_reminder_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_git_pull_results.changed }}"
-    build:
-      dockerfile: docker/Dockerfile
-      path: "{{ matrix_bot_matrix_reminder_bot_container_src_files_path }}"
-      pull: true
+    dockerfile: docker/Dockerfile
+    path: "{{ matrix_bot_matrix_reminder_bot_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_bot_matrix_reminder_bot_git_pull_results.changed | bool else 'never' }}"
  when: "matrix_bot_matrix_reminder_bot_container_image_self_build | bool"
+  register: matrix_bot_matrix_reminder_bot_container_image_build_result

 - name: Ensure matrix-reminder-bot config installed
  ansible.builtin.copy:
@@ -118,6 +114,7 @@
        or matrix_bot_matrix_reminder_bot_config_result.changed | default(false)
        or matrix_bot_matrix_reminder_bot_systemd_service_result.changed | default(false)
        or matrix_bot_matrix_reminder_bot_container_image_pull_result.changed | default(false)
+        or matrix_bot_matrix_reminder_bot_container_image_build_result.changed | default(false)
      }}

 - name: Ensure matrix-bot-matrix-reminder-bot.service restarted, if necessary
@@ -23,6 +23,7 @@
    - {'old': 'matrix_bot_matrix_reminder_bot_docker_repo', 'new': 'matrix_bot_matrix_reminder_bot_container_repo'}
    - {'old': 'matrix_bot_matrix_reminder_bot_docker_repo_version', 'new': 'matrix_bot_matrix_reminder_bot_container_repo_version'}
    - {'old': 'matrix_bot_matrix_reminder_bot_docker_src_files_path', 'new': 'matrix_bot_matrix_reminder_bot_container_src_files_path'}
+    - {'old': 'matrix_bot_matrix_reminder_bot_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}

 - name: Fail if required matrix-reminder-bot settings not defined
  ansible.builtin.fail:
@@ -35,7 +35,6 @@ matrix_bot_maubot_container_image: "{{ matrix_bot_maubot_container_image_registr
 matrix_bot_maubot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else matrix_bot_maubot_container_image_registry_prefix_upstream }}"
 matrix_bot_maubot_container_image_registry_prefix_upstream: "{{ matrix_bot_maubot_container_image_registry_prefix_upstream_default }}"
 matrix_bot_maubot_container_image_registry_prefix_upstream_default: "dock.mau.dev/"
-matrix_bot_maubot_container_image_force_pull: "{{ matrix_bot_maubot_container_image.endswith(':latest') }}"

 # matrix_bot_maubot_container_image_customized is the name of the locally built maubot image
 # which adds various customizations on top of the original (upstream) maubot image.
@@ -79,12 +78,10 @@ matrix_bot_maubot_database_sslmode: disable

 matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode={{ matrix_bot_maubot_database_sslmode }}

-matrix_bot_maubot_database_uri: "{{
- 	{
- 		'sqlite': ('sqlite:///' + matrix_bot_maubot_sqlite_database_path_in_container),
- 		'postgres': matrix_bot_maubot_database_connection_string,
- 	}[matrix_bot_maubot_database_engine]
-    }}"
+matrix_bot_maubot_database_uri: "{{ {
+    'sqlite': ('sqlite:///' + matrix_bot_maubot_sqlite_database_path_in_container),
+    'postgres': matrix_bot_maubot_database_connection_string,
+}[matrix_bot_maubot_database_engine] }}"

 # Defines the port number where the management interface is
 # To actually expose the management interface outside of the container, use `matrix_bot_maubot_container_management_interface_http_bind_port`
@@ -37,11 +37,9 @@
  register: matrix_bot_maubot_config_result

 - name: Ensure maubot image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
    name: "{{ matrix_bot_maubot_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_maubot_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_container_image_force_pull }}"
+    pull: always
  when: "not matrix_bot_maubot_container_image_self_build|bool"
  register: matrix_bot_maubot_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -61,15 +59,13 @@
      register: matrix_bot_maubot_git_pull_results

    - name: Ensure maubot image is built
-      community.docker.docker_image:
+      community.docker.docker_image_build:
        name: "{{ matrix_bot_maubot_container_image }}"
-        source: build
-        force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}"
-        build:
-          dockerfile: Dockerfile
-          path: "{{ matrix_bot_maubot_container_src_files_path }}"
-          pull: true
+        dockerfile: Dockerfile
+        path: "{{ matrix_bot_maubot_container_src_files_path }}"
+        pull: true
+        rebuild: "{{ 'always' if matrix_bot_maubot_git_pull_results.changed | bool else 'never' }}"
+      register: matrix_bot_maubot_container_image_build_result

 - when: "matrix_bot_maubot_container_image_customizations_enabled | bool"
  block:
@@ -83,14 +79,12 @@
      register: matrix_bot_maubot_container_image_customizations_dockerfile_result

    - name: Ensure customized Docker image for maubot is built
-      community.docker.docker_image:
+      community.docker.docker_image_build:
        name: "{{ matrix_bot_maubot_container_image_customized }}"
-        source: build
-        force_source: "{{ matrix_bot_maubot_container_image_customizations_dockerfile_result.changed or matrix_bot_maubot_container_image_customized_force_source }}"
-        build:
-          dockerfile: Dockerfile
-          path: "{{ matrix_bot_maubot_customized_container_src_files_path }}"
-          nocache: "{{ matrix_bot_maubot_container_image_customized_build_nocache }}"
+        dockerfile: Dockerfile
+        path: "{{ matrix_bot_maubot_customized_container_src_files_path }}"
+        nocache: "{{ matrix_bot_maubot_container_image_customized_build_nocache }}"
+        rebuild: "{{ 'always' if (matrix_bot_maubot_container_image_customizations_dockerfile_result.changed or matrix_bot_maubot_container_image_customized_force_source) | bool else 'never' }}"

 - name: Ensure maubot support files installed
  ansible.builtin.template:
@@ -125,4 +119,5 @@
        or matrix_bot_maubot_support_files_result.changed | default(false)
        or matrix_bot_maubot_systemd_service_result.changed | default(false)
        or matrix_bot_maubot_container_image_pull_result.changed | default(false)
+        or matrix_bot_maubot_container_image_build_result.changed | default(false)
      }}
@@ -31,6 +31,7 @@
    - {'old': 'matrix_bot_maubot_docker_repo_version', 'new': 'matrix_bot_maubot_container_repo_version'}
    - {'old': 'matrix_bot_maubot_docker_src_files_path', 'new': 'matrix_bot_maubot_container_src_files_path'}
    - {'old': 'matrix_bot_maubot_customized_docker_src_files_path', 'new': 'matrix_bot_maubot_customized_container_src_files_path'}
+    - {'old': 'matrix_bot_maubot_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}

 - name: Fail if required maubot settings not defined
  ansible.builtin.fail:
--- a/Show More
+++ b/Show More