Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

6 years ago · 4315b472af
parent 79ad60cf0a 9d14e2dcb1
commit 4315b472af
75 changed files with 617 additions and 46 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,33 @@
+# 2019-05-09
+
+Besides a myriad of bug fixes and minor improvements, here are the more notable (bigger) features we can announce today.
+
+## Mautrix Facebook/Messenger bridging support
+
+The playbook now supports bridging with [Facebook](https://www.facebook.com/) by installing the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge. This playbook functionality is available thanks to [@izissise](https://github.com/izissise).
+
+Additional details are available in [Setting up Mautrix Facebook bridging](docs/configuring-playbook-bridge-mautrix-facebook.md).
+
+## mxisd Registration feature integration
+
+The playbook can now help you integrate with mxisd's [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature.
+
+Learn more in [mxisd-controlled Registration](docs/configuring-playbook-mxisd.md#mxisd-controlled-registration).
+
+
+# 2019-04-16
+
+## Caddy webserver examples
+
+If you prefer using the [Caddy](https://caddyserver.com/) webserver instead of our own integrated nginx, we now have examples for it in the [`examples/caddy`](examples/caddy) directory
+
+# 2019-04-10
+
+## Goofys support for other S3-compatible object stores
+
+Until now, you could optionally host Synapse's media repository on Amazon S3, but we now also support [using other S3-compatible object stores](docs/configuring-playbook-s3.md),
+
+
 # 2019-04-03

 ## Ansible >= 2.5 is required
--- a/README.md
+++ b/README.md
@ -38,6 +38,8 @@ Using this playbook, you can get the following services configured on your serve

 - (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/)

+- (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [facebook](https://facebook.com/)
+
 - (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)

 - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/)
@ -116,6 +118,8 @@ This playbook sets up your server using the following Docker images:

 - [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional)

+- [tulir/mautrix-facebook](https://hub.docker.com/r/tulir/mautrix-facebook/) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional)
+
 - [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)

 - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional)
--- a/docs/README.md
+++ b/docs/README.md
@ -12,6 +12,8 @@

 - [Registering users](registering-users.md)

+- [Updating users passwords](updating-users-passwords.md)
+
 - [Configuring service discovery via .well-known](configuring-well-known.md)

 - [Maintenance / checking if services work](maintenance-checking-services.md)
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@ -54,9 +54,9 @@ The SRV record should look like this:
 - Name: `_matrix._tcp` (use this text as-is)
 - Content: `10 0 8448 matrix.<your-domain>` (replace `<your-domain>` with your own)

-A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook.
+A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record for our use case. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook.

-Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** that is only necessary before Synapse v1.0 is released.
+Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** for our use-case, that will only be necessary before Synapse v1.0 is released.

 As more and more people upgrade to the Synapse v0.99 transitional release and just before the final Synapse v1.0 gets released, at some point in the near future **you will need to remove the `_matrix._tcp` SRV record** and leave only the [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) in place.

--- a/docs/configuring-playbook-bridge-mautrix-facebook.md
+++ b/docs/configuring-playbook-bridge-mautrix-facebook.md
@ -0,0 +1,11 @@
+# Setting up Mautrix Facebook (optional)
+
+The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
+
+See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
+
+```yaml
+matrix_mautrix_facebook_enabled: true
+```
+
+You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
--- a/docs/configuring-playbook-mxisd.md
+++ b/docs/configuring-playbook-mxisd.md
@ -24,6 +24,19 @@ If you'd like to change the default email templates used by mxisd, take a look a
 (in the `roles/matrix-mxisd/defaults/main.yml` file.


+## mxisd-controlled Registration
+
+To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables:
+
+- `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse
+
+- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering
+
+- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality
+
+- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`.
+
+
 ## Additional features

 What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services.
--- a/docs/configuring-playbook-s3.md
+++ b/docs/configuring-playbook-s3.md
@ -3,9 +3,11 @@
 By default, this playbook configures your server to store Synapse's content repository (`media_store`) files on the local filesystem.
 If that's alright, you can skip this.

-If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3,
+If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3 (or other S3-compatible service),
 you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you.

+## Amazon S3
+
 You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy:

 ```json
@ -37,3 +39,13 @@ matrix_s3_media_store_aws_access_key: "access-key-goes-here"
 matrix_s3_media_store_aws_secret_key: "secret-key-goes-here"
 matrix_s3_media_store_region: "eu-central-1"
 ```
+
+
+## Using other S3-compatible object stores
+
+You can use any S3-compatible object store by **additionally** configuring these variables:
+
+```yaml
+matrix_s3_media_store_custom_endpoint_enabled: true
+matrix_s3_media_store_custom_endpoint: "your-custom-endpoint"
+```
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -77,6 +77,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional)

+- [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)

 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional)
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@ -13,15 +13,19 @@ There are 2 types of well-known service discovery that Matrix makes use of:

 All services created by this playbook are meant to be installed on their own server (such as `matrix.<your-domain>`).

-As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@<username>:<your-domain>` while hosting services on a subdomain like `matrix.<your-domain>`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a `/.well-known/matrix/server` file on the base domain (`<your-domain.com>).
+As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@<username>:<your-domain>` while hosting services on a subdomain like `matrix.<your-domain>`, the Matrix network needs to be instructed of such delegation/redirection.

-We have discussed this same thing already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md).
+Server delegation can be configured using DNS SRV records or by setting up a `/.well-known/matrix/server` file on the base domain (`<your-domain.com>`).

-In short, you are required to set up both a `_matrix._tcp` DNS SRV record and the `/.well-known/matrix/server` file at the moment.
+We have discussed the DNS SRV record method already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md).

-As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. During the transitional phase (before Synapse 1.0), we do need to have both a SRV record and a `/.well-known/matrix/server` file, in order to federate correctly with v0.99 and older Synapse versions.
+Both methods have their place and will continue to do so. Usually, you would need to use just one of these delegation methods.
+For simplicity reasons, our setup advocates for the `/.well-known/matrix/server` method and guides you into using that.
+For backward compatibility with older Synapse servers (< v0.99), however, for now you are also required to set up a `_matrix._tcp` DNS SRV record (in addition to the `/.well-known/matrix/server` file on the base domain).

-To learn how to set it up, read the Installing section below.
+As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used by us, unless you have a more special setup necessitating a DNS SRV record. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists.
+
+To learn how to set up `/.well-known/matrix/server`, read the Installing section below.


 ## Introduction to Client Server Discovery
--- a/docs/maintenance-checking-services.md
+++ b/docs/maintenance-checking-services.md
@ -10,4 +10,4 @@ ansible-playbook -i inventory/hosts setup.yml --tags=self-check

 If it's all green, everything is probably running correctly.

-Besides this self-check, you can also check your server using the [Federation Tester](https://neo.lain.haus/fed-tester/).
+Besides this self-check, you can also check your server using the [Federation Tester](https://federationtester.matrix.org/).
--- a/docs/updating-users-passwords.md
+++ b/docs/updating-users-passwords.md
@ -0,0 +1,19 @@
+# Updating users passwords
+
+If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):
+
+	ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password>' --tags=update-user-password
+
+**Note**: `<your-username>` is just a plain username (like `john`), not your full `@<username>:<your-domain>` identifier.
+
+**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot.<domain>/`.
+
+If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)):
+
+	docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
+
+and then connecting to the postgres server and executing:
+
+	UPDATE users SET password_hash = '<password-hash>' WHERE name = '@someone:server.com'
+
+where `<password-hash>` is the hash returned by the docker command above.
--- a/group_vars/matrix-servers
+++ b/group_vars/matrix-servers
@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
 # your own configuration in `matrix_mxisd_configuration_extension_yaml`.
 matrix_mxisd_synapsesql_enabled: true
 matrix_mxisd_synapsesql_type: postgresql
-matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }}
+matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}

 matrix_mxisd_dns_overwrite_enabled: true
 matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -48,6 +48,7 @@ run_import_postgres: true
 run_upgrade_postgres: true
 run_start: true
 run_register_user: true
+run_update_user_password: true
 run_import_sqlite_db: true
 run_import_media_store: true
 run_self_check: true
--- a/roles/matrix-base/tasks/setup_server_base.yml
+++ b/roles/matrix-base/tasks/setup_server_base.yml
@ -68,7 +68,7 @@

 - name: Ensure Docker is started and autoruns
  service:
-    name: docker 
+    name: docker
    state: started
    enabled: yes

--- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"m.homeserver": {
 		"base_url": "{{ matrix_homeserver_url }}"
--- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"m.server": "{{ matrix_server_fqn_matrix }}:8448"
 }
--- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
+++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash

 if [ "$(id -u)" != "0" ]; then
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -6,6 +6,9 @@ matrix_corporal_enabled: true
 # Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
 matrix_corporal_container_expose_ports: false

+# A list of extra arguments to pass to the container
+matrix_corporal_container_extra_arguments: []
+
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

--- a/roles/matrix-corporal/templates/config.json.j2
+++ b/roles/matrix-corporal/templates/config.json.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"Matrix": {
 		"HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}",
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Corporal
 {% for service in matrix_corporal_systemd_required_services_list %}
@ -22,6 +23,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
 			-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
 			-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \
 			-v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \
+			{% for arg in matrix_corporal_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_corporal_docker_image }} \
 			/matrix-corporal -config=/etc/matrix-corporal/config.json
 ExecStop=-/usr/bin/docker kill matrix-corporal
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -23,6 +23,9 @@ matrix_coturn_systemd_required_services_list: ['docker.service']
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
 matrix_coturn_container_additional_volumes: []

+# A list of extra arguments to pass to the container
+matrix_coturn_container_extra_arguments: []
+
 # A shared secret (between Synapse and Coturn) used for authentication.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_coturn_turn_static_auth_secret: ""
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Coturn server
 {% for service in matrix_coturn_systemd_required_services_list %}
@ -27,6 +28,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			{% for volume in matrix_coturn_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_coturn_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_coturn_docker_image }} \
 			-c /turnserver.conf

--- a/roles/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/matrix-coturn/templates/turnserver.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
 realm=turn.{{ matrix_server_fqn_matrix }}
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@ -20,6 +20,9 @@ matrix_dimension_user_gid: 1000

 matrix_dimension_container_expose_port: false

+# A list of extra arguments to pass to the container
+matrix_dimension_container_extra_arguments: []
+
 matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
 matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
@ -31,6 +34,7 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di
 # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_dimension_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
  # The web settings for the service (API and UI).
  # It is best to have this run on localhost and use a reverse proxy to access Dimension.
  web:
@ -125,5 +129,3 @@ matrix_dimension_configuration_extension_yaml: |
 # Holds the final Dimension configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`.
 matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml|from_yaml|combine(matrix_dimension_configuration_extension, recursive=True) }}"
-
-
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Dimension
 After=docker.service
@ -19,6 +20,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			-p 127.0.0.1:8184:8184 \
 			{% endif %}
 			-v {{ matrix_dimension_base_path }}:/data:rw \
+			{% for arg in matrix_dimension_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_dimension_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-dimension
 ExecStop=-/usr/bin/docker rm matrix-dimension
--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@ -9,6 +9,9 @@ matrix_mailer_docker_image: "devture/exim-relay:4.91-r3-0"
 matrix_mailer_container_user_uid: 100
 matrix_mailer_container_user_gid: 101

+# A list of extra arguments to pass to the container
+matrix_mailer_container_extra_arguments: []
+
 matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
 matrix_mailer_relay_use: false
 matrix_mailer_relay_host_name: "mail.example.com"
--- a/roles/matrix-mailer/templates/env-mailer.j2
+++ b/roles/matrix-mailer/templates/env-mailer.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {% if matrix_mailer_relay_use %}
 SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }}
 {% endif %}
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix mailer
 After=docker.service
@ -16,6 +17,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_mailer_base_path }}/env-mailer \
 			--hostname={{ matrix_server_fqn_matrix }} \
+			{% for arg in matrix_mailer_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_mailer_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-mailer
 ExecStop=-/usr/bin/docker rm matrix-mailer
--- a/roles/matrix-mxisd/defaults/main.yml
+++ b/roles/matrix-mxisd/defaults/main.yml
@ -8,6 +8,9 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
 # Controls whether the mxisd web server's port (`8090`) is exposed outside of the container.
 matrix_mxisd_container_expose_port: false

+# A list of extra arguments to pass to the container
+matrix_mxisd_container_extra_arguments: []
+
 # List of systemd services that matrix-mxisd.service depends on
 matrix_mxisd_systemd_required_services_list: ['docker.service']

@ -64,6 +67,7 @@ matrix_mxisd_self_check_validate_certificates: true
 # For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mxisd_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}

--- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
+++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix mxisd Identity server
 {% for service in matrix_mxisd_systemd_required_services_list %}
@ -27,6 +28,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
 			{% endif %}
 			-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
 			-v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \
+			{% for arg in matrix_mxisd_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_mxisd_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mxisd
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -21,6 +21,9 @@ matrix_nginx_proxy_systemd_wanted_services_list: []
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
 matrix_nginx_proxy_container_additional_volumes: []

+# A list of extra arguments to pass to the container
+matrix_nginx_proxy_container_extra_arguments: []
+
 # Controls whether matrix-nginx-proxy should serve the base domain.
 #
 # This is useful for when you only have your Matrix server, but you need to serve
@ -66,6 +69,13 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"

+# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
+# This allows another service to control registrations involving 3PIDs.
+# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md
+matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
+matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090"
+matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
+
 # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_base_domain_hostname }};
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
@ -102,6 +103,23 @@ server {
 	}
 	{% endif %}

+	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
+	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+	{% endif %}
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # The default is aligned to the CPU's cache size,
 # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot).
 #
--- a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 # User and password for protecting /_synapse/metrics URI
 prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}
--- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # This is a custom nginx configuration file that we use in the container (instead of the default one),
 # because it allows us to run nginx with a non-root user.
 #
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix nginx-proxy server
 {% for service in matrix_nginx_proxy_systemd_required_services_list %}
@ -33,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			{% for volume in matrix_nginx_proxy_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_nginx_proxy_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_nginx_proxy_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash

 # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@ -12,3 +12,6 @@ matrix_postgres_docker_image_v9: "postgres:9.6.12-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.7-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.2-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"
+
+# A list of extra arguments to pass to the container
+matrix_postgres_container_extra_arguments: []
--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@ -123,3 +123,10 @@
  debug:
    msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
  when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"
+
+- name: Ensure matrix-postgres-update-user-password-hash script created
+  template:
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
+    dest: "/usr/local/bin/matrix-postgres-update-user-password-hash"
+    mode: 0750
+  when: matrix_postgres_enabled
--- a/roles/matrix-postgres/templates/env-postgres-psql.j2
+++ b/roles/matrix-postgres/templates/env-postgres-psql.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 PGUSER={{ matrix_postgres_connection_username }}
 PGPASSWORD={{ matrix_postgres_connection_password }}
 PGDATABASE={{ matrix_postgres_db_name }}
--- a/roles/matrix-postgres/templates/env-postgres-server.j2
+++ b/roles/matrix-postgres/templates/env-postgres-server.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 POSTGRES_USER={{ matrix_postgres_connection_username }}
 POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
 POSTGRES_DB={{ matrix_postgres_db_name }}
--- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
+++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Postgres server
 After=docker.service
@ -18,6 +19,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
 			--env-file={{ matrix_postgres_base_path }}/env-postgres-server \
 			-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \
 			-v /etc/passwd:/etc/passwd:ro \
+			{% for arg in matrix_postgres_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_postgres_docker_image_to_use }}
 ExecStop=-/usr/bin/docker stop matrix-postgres
 ExecStop=-/usr/bin/docker rm matrix-postgres
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash

 if [ $# -ne 1 ]; then
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash

 docker run \
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
@ -0,0 +1,16 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <password_hash>"
+	exit 1
+fi
+
+docker run \
+	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
+	--network {{ matrix_docker_network }} \
+	{{ matrix_postgres_docker_image_to_use }} \
+	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'"
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@ -6,6 +6,9 @@ matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

 matrix_riot_web_container_expose_port: false

+# A list of extra arguments to pass to the container
+matrix_riot_web_container_extra_arguments: []
+
 # List of systemd services that matrix-riot-web.service depends on
 matrix_riot_web_systemd_required_services_list: ['docker.service']

--- a/roles/matrix-riot-web/templates/config.json.j2
+++ b/roles/matrix-riot-web/templates/config.json.j2
@ -1,23 +1,24 @@
+#jinja2: lstrip_blocks: "True"
 {
-	"default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }},
-	"default_is_url": {{ matrix_riot_web_default_is_url|to_json }},
+	"default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }},
+	"default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }},
 	"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
 	"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
 	"brand": "Riot",
-	"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }},
-	"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }},
+	"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|string|to_json }},
+	"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|string|to_json }},
 	"integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }},
-	"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }},
+	"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|string|to_json }},
 	"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
 	"enableLabs": true,
 	"roomDirectory": {
 		"servers": {{ matrix_riot_web_roomdir_servers|to_json }}
 	},
-	"welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }},
+	"welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }},
 	{% if matrix_riot_web_enable_presence_by_hs_url is not none %}
 		"enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }},
 	{% endif %}
 	"embeddedPages": {
-		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }}
+		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }}
 	}
 }
--- a/roles/matrix-riot-web/templates/nginx.conf.j2
+++ b/roles/matrix-riot-web/templates/nginx.conf.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # This is a custom nginx configuration file that we use in the container (instead of the default one),
 # because it allows us to run nginx with a non-root user.
 #
--- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
+++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix riot-web server
 {% for service in matrix_riot_web_systemd_required_services_list %}
@ -26,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
 			{% endif %}
 			-v {{ matrix_riot_web_data_path }}/welcome.html:/etc/riot-web/welcome.html:ro \
+			{% for arg in matrix_riot_web_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_riot_web_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-riot-web
 ExecStop=-/usr/bin/docker rm matrix-riot-web
--- a/roles/matrix-riot-web/templates/welcome.html.j2
+++ b/roles/matrix-riot-web/templates/welcome.html.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 <style type="text/css">

 /* we deliberately inline style here to avoid flash-of-CSS problems, and to avoid
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -1,4 +1,4 @@
-matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3-py3"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.2"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
@ -24,6 +24,9 @@ matrix_appservice_discord_container_expose_client_server_api_port: false
 # Controls whether the matrix-synapse container exposes the metrics port (tcp/9100).
 matrix_synapse_container_expose_metrics_port: false

+# A list of extra arguments to pass to the container
+matrix_synapse_container_extra_arguments: []
+
 # List of systemd services that matrix-synapse.service depends on
 matrix_synapse_systemd_required_services_list: ['docker.service']

@ -111,6 +114,9 @@ matrix_synapse_use_presence: true
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false

+# A list of 3PID types which users must supply when registering (possible values: email, msisdn).
+matrix_synapse_registrations_require_3pid: []
+
 # Users who register on this homeserver will automatically be joined to these rooms.
 # Rooms are to be specified using addresses (e.g. `#address:example.com`)
 matrix_synapse_auto_join_rooms: []
@ -258,6 +264,18 @@ matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"

 matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"

+# Matrix mautrix is a Matrix <-> Facebook bridge
+# Enable facebook bridge
+matrix_mautrix_facebook_enabled: false
+
+matrix_mautrix_facebook_docker_image: "tulir/mautrix-facebook:latest"
+
+matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
+
+# Get your own API keys at https://developers.facebook.com/docs/apis-and-sdks/
+matrix_mautrix_facebook_api_id: YOUR_FACEBOOK_APP_ID
+matrix_mautrix_facebook_api_hash: YOUR_FACEBOOK_API_HASH
+
 # Matrix Appservice IRC is a Matrix <-> IRC bridge
 # Enable IRC bridge
 matrix_appservice_irc_enabled: false
@ -267,6 +285,7 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"

 matrix_appservice_irc_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
  homeserver:
    url: "https://{{ matrix_server_fqn_matrix }}"
    domain: "{{ matrix_domain }}"
--- a/roles/matrix-synapse/tasks/ext/init.yml
+++ b/roles/matrix-synapse/tasks/ext/init.yml
@ -4,6 +4,8 @@

 - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml"

+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-facebook/init.yml"
+
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/init.yml"

 - import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/init.yml"
--- a/roles/matrix-synapse/tasks/ext/mautrix-facebook/init.yml
+++ b/roles/matrix-synapse/tasks/ext/mautrix-facebook/init.yml
@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}"
+  when: matrix_mautrix_facebook_enabled
--- a/roles/matrix-synapse/tasks/ext/mautrix-facebook/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/mautrix-facebook/setup.yml
@ -0,0 +1,101 @@
+---
+
+- name: Ensure Mautrix Facebook image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_facebook_docker_image }}"
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure Mautrix Facebook configuration path exists
+  file:
+    path: "{{ matrix_mautrix_facebook_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Check if a mautrix-facebook configuration file exists
+  stat:
+    path: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+  register: mautrix_facebook_config_file_stat
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure Matrix Mautrix facebook config installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-facebook/config.yaml.j2"
+    dest: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_facebook_enabled and not mautrix_facebook_config_file_stat.stat.exists"
+
+- name: (Migration) Fix up old configuration
+  lineinfile:
+    path: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    backrefs: yes
+  with_items:
+    - {'regexp': '^(\s+)filename: \./mautrix-facebook.log', 'line': '\1filename: /data/mautrix-facebook.log'}
+    - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-facebook.db'}
+  when: "matrix_mautrix_facebook_enabled and mautrix_facebook_config_file_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-facebook.service installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2"
+    dest: "/etc/systemd/system/matrix-mautrix-facebook.service"
+    mode: 0644
+  register: matrix_mautrix_facebook_systemd_service_result
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_systemd_service_result.changed"
+
+- name: Check if a mautrix-facebook registration file exists
+  stat:
+    path: "{{ matrix_mautrix_facebook_base_path }}/registration.yaml"
+  register: mautrix_facebook_registration_file_stat
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Generate matrix-mautrix-facebook registration.yaml if it doesn't exist
+  shell:
+    cmd: >-
+      /usr/bin/docker run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --name matrix-mautrix-facebook-gen
+      -v {{ matrix_mautrix_facebook_base_path }}:/data:z
+      {{ matrix_mautrix_facebook_docker_image }}
+      python3 -m mautrix_facebook -g -c /data/config.yaml -r /data/registration.yaml
+  when: "matrix_mautrix_facebook_enabled and not mautrix_facebook_registration_file_stat.stat.exists"
+
+- set_fact:
+    matrix_synapse_app_service_config_file_mautrix_facebook: '/app-registration/mautrix-facebook.yml'
+  when: "matrix_mautrix_facebook_enabled"
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_mautrix_facebook_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_facebook }}', 'options': 'ro'}] }}
+  when: "matrix_mautrix_facebook_enabled"
+
+- set_fact:
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files }}
+      +
+      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_facebook }}"] | to_nice_json  }}
+  when: "matrix_mautrix_facebook_enabled"
+
+#
+# Tasks related to getting rid of matrix-mautrix-facebook (if it was previously enabled)
+#
+
+- name: Ensure matrix-mautrix-facebook.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mautrix-facebook.service"
+    state: absent
+  when: "not matrix_mautrix_facebook_enabled"
--- a/roles/matrix-synapse/tasks/ext/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/setup.yml
@ -10,6 +10,8 @@

 - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml"

+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-facebook/setup.yml"
+
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/setup.yml"

 - import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/setup.yml"
--- a/roles/matrix-synapse/tasks/main.yml
+++ b/roles/matrix-synapse/tasks/main.yml
@ -37,3 +37,8 @@
  when: run_self_check
  tags:
    - self-check
+
+- import_tasks: "{{ role_path }}/tasks/update_user_password.yml"
+  when: run_update_user_password
+  tags:
+    - update-user-password
--- a/roles/matrix-synapse/tasks/update_user_password.yml
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@ -0,0 +1,48 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Fail if not using matrix-postgres container
+  fail:
+    msg: "This command is working only when matrix-postgres container is being used"
+  when: "not matrix_postgres_enabled"
+
+- name: Ensure matrix-synapse is started
+  service:
+    name: matrix-synapse
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: postgres_start_result
+
+
+- name: Wait a while, so that Matrix Synapse can manage to start
+  pause:
+    seconds: 7
+  when: start_result.changed
+
+- name: Wait a while, so that Matrix Postgres can manage to start
+  pause:
+    seconds: 7
+  when: postgres_start_result.changed
+
+- name: Generate password hash
+  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}"
+  register: password_hash
+
+- name: Update user password hash
+  shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'"
--- a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Appservice Discord server
 After=docker.service
--- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Appservice IRC server
 After=docker.service
--- a/roles/matrix-synapse/templates/ext/mautrix-facebook/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-facebook/config.yaml.j2
@ -0,0 +1,109 @@
+#jinja2: lstrip_blocks: "True"
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://{{ matrix_server_fqn_matrix }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix_domain }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://matrix-mautrix-facebook:8080
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 8080
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. SQLite and Postgres are fully supported.
+    # Other DBMSes supported by SQLAlchemy may or may not work.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: sqlite:////data/mautrix-facebook.db
+
+    # The unique ID of this appservice.
+    id: facebook
+    # Username of the appservice bot.
+    bot_username: facebookbot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Facebook bridge bot
+    bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "This value is generated when generating the registration"
+    hs_token: "This value is generated when generating the registration"
+
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Facebook users.
+    # {userid} is replaced with the user ID of the Facebook user.
+    username_template: "facebook_{userid}"
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!fb"
+
+    # Number of chats to sync (and create portals for) on startup/login.
+    # Maximum 20, set 0 to disable automatic syncing.
+    initial_chat_sync: 10
+    # Whether or not the Facebook users of logged in Matrix users should be
+    # invited to private chats when the user sends a message from another client.
+    invite_own_puppet_to_pm: false
+    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
+    # your own Matrix account as the Matrix puppet for your Facebook account.
+    sync_with_custom_puppets: true
+    # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
+    # presence, but then it won't send other users' presence to the client.
+    presence: true
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        '{{ matrix_domain }}': user
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_facebook.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        file:
+            class: logging.handlers.RotatingFileHandler
+            formatter: normal
+            filename: /data/mautrix-facebook.log
+            maxBytes: 10485760
+            backupCount: 10
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: DEBUG
+        fbchat:
+            level: DEBUG
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [file, console]
--- a/roles/matrix-synapse/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2
@ -0,0 +1,34 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Facebook server
+After=docker.service
+Requires=docker.service
+Requires=matrix-synapse.service
+After=matrix-synapse.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-mautrix-facebook
+ExecStartPre=-/usr/bin/docker rm matrix-mautrix-facebook
+ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			-v {{ matrix_mautrix_facebook_base_path }}:/data:z \
+			{{ matrix_mautrix_facebook_docker_image }} \
+			alembic -x config=/data/config.yaml upgrade head
+ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_facebook_base_path }}:/data:z \
+			{{ matrix_mautrix_facebook_docker_image }} \
+			python3 -m mautrix_facebook -c /data/config.yaml
+ExecStop=-/usr/bin/docker kill matrix-mautrix-facebook
+ExecStop=-/usr/bin/docker rm matrix-mautrix-facebook
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # Homeserver details
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mautrix Telegram server
 After=docker.service
--- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # Homeserver details.
 homeserver:
  # The address that this appservice can use to connect to the homeserver.
--- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mautrix Whatsapp server
 After=docker.service
--- a/roles/matrix-synapse/templates/goofys/env-goofys.j2
+++ b/roles/matrix-synapse/templates/goofys/env-goofys.j2
@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }}
 AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }}
--- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
+++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Goofys media store
 After=docker.service
--- a/roles/matrix-synapse/templates/synapse/env-synapse.j2
+++ b/roles/matrix-synapse/templates/synapse/env-synapse.j2
@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
 SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }}
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # vim:ft=yaml

 ## Server ##
@ -358,8 +359,8 @@ database:
  # The database engine name
  name: "psycopg2"
  args:
-    user: {{ matrix_synapse_database_user|to_json }}
-    password: {{ matrix_synapse_database_password|to_json }}
+    user: {{ matrix_synapse_database_user|string|to_json }}
+    password: {{ matrix_synapse_database_password|string|to_json }}
    database: "{{ matrix_synapse_database_database }}"
    host: "{{ matrix_synapse_database_host }}"
    cp_min: 5
@ -521,9 +522,10 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
 #    height: 600
 #    method: scale

-# Is the preview URL API enabled?  If enabled, you *must* specify
-# an explicit url_preview_ip_range_blacklist of IPs that the spider is
-# denied from accessing.
+# Is the preview URL API enabled?
+#
+# 'false' by default: uncomment the following to enable it (and specify a
+# url_preview_ip_range_blacklist blacklist).
 #
 url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }}

@ -534,7 +536,13 @@ url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }}
 # to connect to, otherwise anyone in any Matrix room could cause your
 # synapse to issue arbitrary GET requests to your internal services,
 # causing serious security issues.
-
+#
+# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
+# listed here, since they correspond to unroutable addresses.)
+#
+# This must be specified if url_preview_enabled is set. It is recommended that
+# you uncomment the following list as a starting point.
+#
 url_preview_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
@ -628,7 +636,7 @@ turn_uris: {{ matrix_synapse_turn_uris|to_json }}

 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }}
+turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }}

 # The Username and password if the TURN server needs them and
 # does not use a token
@ -663,6 +671,9 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #registrations_require_3pid:
 #  - email
 #  - msisdn
+{% if matrix_synapse_registrations_require_3pid %}
+registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }}
+{% endif %}

 # Explicitly disable asking for MSISDNs from the registration
 # flow (overrides registrations_require_3pid if MSISDNs are set as required)
@ -683,7 +694,7 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }}
+registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }}

 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@ -784,7 +795,7 @@ app_service_config_files: {{ matrix_synapse_app_service_config_files }}
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }}
+macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }}

 # Used to enable access token expiration.
 #
@ -794,7 +805,7 @@ macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }}
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
-form_secret: {{ matrix_synapse_form_secret|to_json }}
+form_secret: {{ matrix_synapse_form_secret|string|to_json }}

 ## Signing Keys ##

@ -899,7 +910,7 @@ password_config:
   # Uncomment and change to a secret random string for extra security.
   # DO NOT CHANGE THIS AFTER INITIAL SETUP!
   #
-   pepper: {{ matrix_synapse_password_config_pepper|to_json }}
+   pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}



@ -914,15 +925,15 @@ password_config:
 {% if matrix_synapse_email_enabled %}
 email:
   enable_notifs: true
-   smtp_host: {{ matrix_synapse_email_smtp_host|to_json }}
+   smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
   smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
   require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
-   notif_from: {{ matrix_synapse_email_notif_from|to_json }}
+   notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
   app_name: Matrix
   notif_template_html: notif_mail.html
   notif_template_text: notif_mail.txt
   notif_for_new_users: True
-   riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }}
+   riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }}
 {% endif %}


@ -945,12 +956,12 @@ password_providers:
 {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %}
  - module: "shared_secret_authenticator.SharedSecretAuthenticator"
    config:
-      sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|to_json }}
+      sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
 {% endif %}
 {% if matrix_synapse_ext_password_provider_rest_auth_enabled %}
  - module: "rest_auth_provider.RestAuthProvider"
    config:
-      endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|to_json }}
+      endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }}
      policy:
        registration:
          username:
@ -965,16 +976,16 @@ password_providers:
  - module: "ldap_auth_provider.LdapAuthProvider"
    config:
      enabled: true
-      uri: {{ matrix_synapse_ext_password_provider_ldap_uri|to_json }}
-      start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }}
-      base: {{ matrix_synapse_ext_password_provider_ldap_base|to_json }}
+      uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }}
+      start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|string|to_json }}
+      base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }}
      attributes:
-        uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|to_json }}
-        mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|to_json }}
-        name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|to_json }}
-      bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|to_json }}
-      bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|to_json }}
-      filter: {{ matrix_synapse_ext_password_provider_ldap_filter|to_json }}
+        uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }}
+        mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }}
+        name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }}
+      bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }}
+      bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }}
+      filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }}
 {% endif %}
 {% endif %}

--- a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2
+++ b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"

 version: 1

--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Synapse server
 {% for service in matrix_synapse_systemd_required_services_list %}
@ -46,6 +47,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_synapse_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_synapse_docker_image }} \
 			-m synapse.app.homeserver -c /data/homeserver.yaml

--- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2
+++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2
@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash

 if [ $# -ne 3 ]; then