Merge branch 'master' into master

docs/configuring-playbook-bridge-mautrix-facebook.md

@@ -2,16 +2,37 @@
 
 The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
 
-See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
+See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you.
 
 ```yaml
 matrix_mautrix_facebook_enabled: true
 ```
 
+There are some additional things you may wish to configure about the bridge before you continue.
+
+Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
+```yaml
+matrix_mautrix_facebook_configuration_extension_yaml: |
+  bridge:
+    encryption:
+      allow: true
+      default: true
+```
+
+If you would like to be able to administrate the bridge from your account it can be configured like this:
+```yaml
+matrix_mautrix_facebook_configuration_extension_yaml: |
+  bridge:
+    permissions:
+      '@YOUR_USERNAME:YOUR_DOMAIN': admin
+```
+
+You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
+
 
 ## Set up Double Puppeting
 
-If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it.
+If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
 ### Method 1: automatically, by enabling Shared Secret Auth
 
@@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login
 
 You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
 
-Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account.
-
-You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication).
+Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html).
 
 If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.
 

docs/configuring-playbook-jitsi.md

@@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record.
 
 You may also need to open the following ports to your server:
 
-- `10000/udp` - RTP media over UDP
 - `4443/tcp` - RTP media fallback over TCP
+- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
 
 
 ## Installation

docs/configuring-playbook-synapse-admin.md

@@ -6,6 +6,8 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix
 
 See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
 
+**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).
+
 
 ## Adjusting the playbook configuration
 

docs/container-images.md

@@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo
 
 - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)
 
-- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
+- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
 
 - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
 

docs/faq.md

@@ -297,7 +297,7 @@ matrix_coturn_enabled: false
 # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971).
 #
 # If your server does not federate with hundreds of others, enabling this doesn't hurt much.
-matrix_synapse_use_presence: false
+matrix_synapse_presence_enabled: false
 ```
 
 You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms:

docs/maintenance-synapse.md

@@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt
 
 ## Make Synapse faster
 
-Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file.
+Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file.
 
 Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor.
 

docs/prerequisites.md

@@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
   - `5349/udp`: TURN over UDP (used by Coturn)
   - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
   - the range `49152-49172/udp`: TURN over UDP
-  - `4443/tcp`: Jitsi Harvester fallback
-  - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
+  - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.
 
 When ready to proceed, continue with [Configuring DNS](configuring-dns.md).

group_vars/matrix_servers

@@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false
 matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
 
 # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
-matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}"
+matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}"
 
 matrix_appservice_discord_systemd_required_services_list: |
   {{
@@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox
 
 # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
 # IRC bridge presence, for performance reasons.
-matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}"
+matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}"
 
 matrix_appservice_irc_systemd_required_services_list: |
   {{
@@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
 
 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
-matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
+matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
 
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
@@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke
 
 matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
-matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
+matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
 
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
@@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m
 
 matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
 
-matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}"
+matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"
 
 matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
 matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
@@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati
 matrix_client_element_enable_presence_by_hs_url: |
   {{
     none
-    if matrix_synapse_use_presence
+    if matrix_synapse_presence_enabled
     else {matrix_client_element_default_hs_url: false}
   }}
 
@@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}
 
 matrix_prometheus_node_exporter_enabled: false
 
-# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network.
-# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# Prometheus' HTTP port to the local host.
-matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}"
-
 ######################################################################
 #
 # /matrix-prometheus-node-exporter
@@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me
 matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
 
 matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
+matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"
 
 ######################################################################
 #

roles/matrix-awx/surveys/configure_synapse.json.j2

@@ -56,10 +56,10 @@
       "required": false,
       "min": null,
       "max": null,
-      "default": "{{ matrix_synapse_use_presence | string | lower }}",
+      "default": "{{ matrix_synapse_presence_enabled | string | lower }}",
       "choices": "true\nfalse",
       "new_question": true,
-      "variable": "matrix_synapse_use_presence",
+      "variable": "matrix_synapse_presence_enabled",
       "type": "multiplechoice"
     },
     {

roles/matrix-awx/tasks/main.yml

@@ -8,6 +8,15 @@
   tags:
     - always
 
+# Renames the variables if needed
+- include_tasks: 
+    file: "rename_variables.yml"
+    apply:
+      tags: always
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - always
+
 # Perform a backup of the server
 - include_tasks: 
     file: "backup_server.yml"

roles/matrix-awx/tasks/rename_variables.yml

@@ -0,0 +1,8 @@
+
+- name: Rename synapse presence variable
+  delegate_to: 127.0.0.1
+  replace:
+    path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
+    regexp: 'matrix_synapse_use_presence'
+    replace: 'matrix_synapse_presence_enabled'
+

roles/matrix-awx/tasks/set_variables_synapse.yml

@@ -21,7 +21,7 @@
     'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
     'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
     'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
-    'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
+    'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
     'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
     'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
     'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'

roles/matrix-coturn/defaults/main.yml

@@ -1,10 +1,10 @@
 matrix_coturn_enabled: true
 
 matrix_coturn_container_image_self_build: false
-matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
+matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git"
 
 matrix_coturn_version: 4.5.2
-matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
+matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
 

roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2

@@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--cap-add=NET_BIND_SERVICE \
 			--entrypoint=turnserver \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \

roles/matrix-grafana/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 7.5.2
+matrix_grafana_version: 7.5.4
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 

roles/matrix-nginx-proxy/defaults/main.yml

@@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
 
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+matrix_nginx_proxy_floc_optout_enabled: true
+
 # Specifies the SSL configuration that should be used for the SSL protocols and ciphers
 # This is based on the Mozilla Server Side TLS Recommended configurations.
 #

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2

@@ -5,6 +5,11 @@
 
 	gzip on;
 	gzip_types text/plain application/json;
+
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -3,8 +3,10 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
+
 {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -3,12 +3,19 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Frame-Options SAMEORIGIN;
 	add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'";
 	add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -3,8 +3,13 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -17,6 +17,10 @@
 	gzip on;
 	gzip_types text/plain application/json;
 
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
 		{#

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2

@@ -3,13 +3,19 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	# duplicate X-Content-Type-Options & X-Frame-Options header
 	# Enabled by grafana by default
 	# add_header X-Content-Type-Options nosniff;
 	# add_header X-Frame-Options SAMEORIGIN;
 	add_header Referrer-Policy "strict-origin-when-cross-origin";
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 	proxy_cookie_path / "/; HTTPOnly; Secure";
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -3,8 +3,13 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2

@@ -1,6 +1,10 @@
 #jinja2: lstrip_blocks: "True"
 
 {% macro render_vhost_directives() %}
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -3,9 +3,11 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options DENY;
+
 {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}

roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2

@@ -48,6 +48,8 @@ http {
 
 	keepalive_timeout 65;
 
+	server_tokens off;
+
 	#gzip on;
 	{# Map directive needed for proxied WebSocket upgrades #}
 	map $http_upgrade $connection_upgrade {

roles/matrix-prometheus-node-exporter/defaults/main.yml

@@ -19,4 +19,16 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: []
 # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
 #
 # Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
+#
+# Official recommendations are to run this container with `--net=host`,
+# but we don't do that, since it:
+# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
+# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
+#
+# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
+# but that's trickier to accomplish and won't necessarily work (hasn't been tested).
+#
+# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
+# because node-exporter can't see all interfaces, etc.
+# For now, we'll live with that, until someone develops a better solution.
 matrix_prometheus_node_exporter_container_http_host_bind_port: ''

roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2

@@ -25,15 +25,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
 			{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
-			--net=host \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
+			-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
+			{% endif %}
 			--pid=host \
 			--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
 			{{ matrix_prometheus_node_exporter_docker_image }} \
-			{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
-			--web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \
-			{% else %}
-			--web.listen-address=localhost:9100 \
-			{% endif %}
 			--path.rootfs=/host
 
 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null'

roles/matrix-prometheus/tasks/setup_install.yml

@@ -19,24 +19,6 @@
     - "{{ matrix_prometheus_config_path }}"
     - "{{ matrix_prometheus_data_path }}"
 
-- block:
-    # Well, this actually creates the network if it doesn't exist, but..
-    # The network should have been created by `matrix-base` already.
-    # We don't rely on that other call and its result, because it runs
-    # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`.
-    - name: Fetch Matrix Docker network details
-      docker_network:
-        name: "{{ matrix_docker_network }}"
-        driver: bridge
-      register: matrix_docker_network_info
-
-    # The `matrix_docker_network_info.ansible_facts.docker_network` workaroudn is for Ansible <= 2.8.
-    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907
-    - set_fact:
-        matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network).IPAM.Config[0].Gateway }}:9100"]
-  when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0"
-
-
 - name: Download synapse-v2.rules
   get_url:
     url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"

roles/matrix-synapse-admin/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 
-matrix_synapse_admin_version: 0.7.0
+matrix_synapse_admin_version: 0.7.2
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.31.0
-matrix_synapse_version_arm64: v1.31.0
+matrix_synapse_version: v1.32.2
+matrix_synapse_version_arm64: v1.32.2
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -170,7 +170,7 @@ matrix_synapse_report_stats: false
 # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
 # If users participate in large rooms with many other servers,
 # disabling this will decrease server load significantly.
-matrix_synapse_use_presence: true
+matrix_synapse_presence_enabled: true
 
 # Controls whether accessing the server's public rooms directory can be done without authentication.
 # For private servers, you most likely wish to require authentication,

roles/matrix-synapse/tasks/validate_config.yml

@@ -47,6 +47,7 @@
     - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
     - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
     - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
+    - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
 
 - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
   fail:

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
 #
 #soft_file_limit: 0
 
-# Set to false to disable presence tracking on this homeserver.
+# Presence tracking allows users to see the state (e.g online/offline)
+# of other local and remote users.
 #
-use_presence: {{ matrix_synapse_use_presence|to_json }}
+presence:
+  # Uncomment to disable presence tracking on this homeserver. This option
+  # replaces the previous top-level 'use_presence' option.
+  #
+  enabled: {{ matrix_synapse_presence_enabled|to_json }}
+
+  # Presence routers are third-party modules that can specify additional logic
+  # to where presence updates from users are routed.
+  #
+  presence_router:
+    # The custom module's class. Uncomment to use a custom presence router module.
+    #
+    #module: "my_custom_router.PresenceRouter"
+
+    # Configuration options of the custom module. Refer to your module's
+    # documentation for available options.
+    #
+    #config:
+    #  example_option: 'something'
 
 # Whether to require authentication to retrieve profile data (avatars,
 # display names) of other users through the client API. Defaults to
@@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json
 #
 #allowed_local_3pids:
 #  - medium: email
-#    pattern: '.*@matrix\.org'
+#    pattern: '^[^@]+@matrix\.org$'
 #  - medium: email
-#    pattern: '.*@vector\.im'
+#    pattern: '^[^@]+@vector\.im$'
 #  - medium: msisdn
 #    pattern: '\+44'
 {% if matrix_synapse_allowed_local_3pids|length > 0 %}
@@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}
 
 ## API Configuration ##
 
-# A list of event types that will be included in the room_invite_state
+# Controls for the state that is shared with users who receive an invite
+# to a room
 #
-#room_invite_state_types:
-#  - "m.room.join_rules"
-#  - "m.room.canonical_alias"
-#  - "m.room.avatar"
-#  - "m.room.encryption"
-#  - "m.room.name"
+room_prejoin_state:
+   # By default, the following state event types are shared with users who
+   # receive invites to the room:
+   #
+   # - m.room.join_rules
+   # - m.room.canonical_alias
+   # - m.room.avatar
+   # - m.room.encryption
+   # - m.room.name
+   #
+   # Uncomment the following to disable these defaults (so that only the event
+   # types listed in 'additional_event_types' are shared). Defaults to 'false'.
+   #
+   #disable_default_event_types: true
+
+   # Additional state event types to share with users when they are invited
+   # to a room.
+   #
+   # By default, this list is empty (so only the default event types are shared).
+   #
+   #additional_event_types:
+   #  - org.example.custom.event.type
 
 
 # A list of application service config files to use

roles/matrix-synapse/vars/main.yml

@@ -6,7 +6,6 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn
 # Tells whether this role had executed or not. Toggled to `true` during runtime.
 matrix_synapse_role_executed: false
 
-matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
 matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
 
 # A Synapse generic worker can handle both federation and client-server API endpoints.