diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4703013c..3c48d2cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,33 @@
+# 2019-05-09
+
+Besides a myriad of bug fixes and minor improvements, here are the more notable (bigger) features we can announce today.
+
+## Mautrix Facebook/Messenger bridging support
+
+The playbook now supports bridging with [Facebook](https://www.facebook.com/) by installing the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge. This playbook functionality is available thanks to [@izissise](https://github.com/izissise).
+
+Additional details are available in [Setting up Mautrix Facebook bridging](docs/configuring-playbook-bridge-mautrix-facebook.md).
+
+## mxisd Registration feature integration
+
+The playbook can now help you integrate with mxisd's [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature.
+
+Learn more in [mxisd-controlled Registration](docs/configuring-playbook-mxisd.md#mxisd-controlled-registration).
+
+
+# 2019-04-16
+
+## Caddy webserver examples
+
+If you prefer using the [Caddy](https://caddyserver.com/) webserver instead of our own integrated nginx, we now have examples for it in the [`examples/caddy`](examples/caddy) directory
+
+# 2019-04-10
+
+## Goofys support for other S3-compatible object stores
+
+Until now, you could optionally host Synapse's media repository on Amazon S3, but we now also support [using other S3-compatible object stores](docs/configuring-playbook-s3.md),
+
+
 # 2019-04-03
 
 ## Ansible >= 2.5 is required
diff --git a/README.md b/README.md
index 388b1c29..840af1d3 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/)
 
+- (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [facebook](https://facebook.com/)
+
 - (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)
 
 - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/)
@@ -116,6 +118,8 @@ This playbook sets up your server using the following Docker images:
 
 - [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional)
 
+- [tulir/mautrix-facebook](https://hub.docker.com/r/tulir/mautrix-facebook/) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional)
+
 - [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)
 
 - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional)
diff --git a/docs/README.md b/docs/README.md
index 1718c6ac..f623085b 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -12,6 +12,8 @@
 
 - [Registering users](registering-users.md)
 
+- [Updating users passwords](updating-users-passwords.md)
+
 - [Configuring service discovery via .well-known](configuring-well-known.md)
 
 - [Maintenance / checking if services work](maintenance-checking-services.md)
diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md
index f6f7906c..7638033b 100644
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@@ -54,9 +54,9 @@ The SRV record should look like this:
 - Name: `_matrix._tcp` (use this text as-is)
 - Content: `10 0 8448 matrix.<your-domain>` (replace `<your-domain>` with your own)
 
-A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook.
+A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record for our use case. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook.
 
-Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** that is only necessary before Synapse v1.0 is released.
+Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** for our use-case, that will only be necessary before Synapse v1.0 is released.
 
 As more and more people upgrade to the Synapse v0.99 transitional release and just before the final Synapse v1.0 gets released, at some point in the near future **you will need to remove the `_matrix._tcp` SRV record** and leave only the [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) in place.
 
diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md
new file mode 100644
index 00000000..20274cfa
--- /dev/null
+++ b/docs/configuring-playbook-bridge-mautrix-facebook.md
@@ -0,0 +1,11 @@
+# Setting up Mautrix Facebook (optional)
+
+The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
+
+See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
+
+```yaml
+matrix_mautrix_facebook_enabled: true
+```
+
+You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md
index 06ce4437..3b0d5700 100644
--- a/docs/configuring-playbook-mxisd.md
+++ b/docs/configuring-playbook-mxisd.md
@@ -24,6 +24,19 @@ If you'd like to change the default email templates used by mxisd, take a look a
 (in the `roles/matrix-mxisd/defaults/main.yml` file.
 
 
+## mxisd-controlled Registration
+
+To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables:
+
+- `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse
+
+- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering
+
+- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality
+
+- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`.
+
+
 ## Additional features
 
 What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services.
diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md
index dda75cf2..ca6701a8 100644
--- a/docs/configuring-playbook-s3.md
+++ b/docs/configuring-playbook-s3.md
@@ -3,9 +3,11 @@
 By default, this playbook configures your server to store Synapse's content repository (`media_store`) files on the local filesystem.
 If that's alright, you can skip this.
 
-If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3,
+If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3 (or other S3-compatible service),
 you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you.
 
+## Amazon S3
+
 You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy:
 
 ```json
@@ -37,3 +39,13 @@ matrix_s3_media_store_aws_access_key: "access-key-goes-here"
 matrix_s3_media_store_aws_secret_key: "secret-key-goes-here"
 matrix_s3_media_store_region: "eu-central-1"
 ```
+
+
+## Using other S3-compatible object stores
+
+You can use any S3-compatible object store by **additionally** configuring these variables:
+
+```yaml
+matrix_s3_media_store_custom_endpoint_enabled: true
+matrix_s3_media_store_custom_endpoint: "your-custom-endpoint"
+```
diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md
index 00c09185..93710972 100644
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -77,6 +77,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional)
 
+- [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)
 
 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional)
diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md
index 59807f28..50344c05 100644
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@@ -13,15 +13,19 @@ There are 2 types of well-known service discovery that Matrix makes use of:
 
 All services created by this playbook are meant to be installed on their own server (such as `matrix.<your-domain>`).
 
-As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@<username>:<your-domain>` while hosting services on a subdomain like `matrix.<your-domain>`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a `/.well-known/matrix/server` file on the base domain (`<your-domain.com>).
+As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@<username>:<your-domain>` while hosting services on a subdomain like `matrix.<your-domain>`, the Matrix network needs to be instructed of such delegation/redirection.
 
-We have discussed this same thing already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md).
+Server delegation can be configured using DNS SRV records or by setting up a `/.well-known/matrix/server` file on the base domain (`<your-domain.com>`).
 
-In short, you are required to set up both a `_matrix._tcp` DNS SRV record and the `/.well-known/matrix/server` file at the moment.
+We have discussed the DNS SRV record method already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md).
 
-As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. During the transitional phase (before Synapse 1.0), we do need to have both a SRV record and a `/.well-known/matrix/server` file, in order to federate correctly with v0.99 and older Synapse versions.
+Both methods have their place and will continue to do so. Usually, you would need to use just one of these delegation methods.
+For simplicity reasons, our setup advocates for the `/.well-known/matrix/server` method and guides you into using that.
+For backward compatibility with older Synapse servers (< v0.99), however, for now you are also required to set up a `_matrix._tcp` DNS SRV record (in addition to the `/.well-known/matrix/server` file on the base domain).
 
-To learn how to set it up, read the Installing section below.
+As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used by us, unless you have a more special setup necessitating a DNS SRV record. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists.
+
+To learn how to set up `/.well-known/matrix/server`, read the Installing section below.
 
 
 ## Introduction to Client Server Discovery
diff --git a/docs/maintenance-checking-services.md b/docs/maintenance-checking-services.md
index 5a257c00..151a5778 100644
--- a/docs/maintenance-checking-services.md
+++ b/docs/maintenance-checking-services.md
@@ -10,4 +10,4 @@ ansible-playbook -i inventory/hosts setup.yml --tags=self-check
 
 If it's all green, everything is probably running correctly.
 
-Besides this self-check, you can also check your server using the [Federation Tester](https://neo.lain.haus/fed-tester/).
\ No newline at end of file
+Besides this self-check, you can also check your server using the [Federation Tester](https://federationtester.matrix.org/).
diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md
new file mode 100644
index 00000000..72b1f278
--- /dev/null
+++ b/docs/updating-users-passwords.md
@@ -0,0 +1,19 @@
+# Updating users passwords
+
+If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):
+
+	ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password>' --tags=update-user-password
+
+**Note**: `<your-username>` is just a plain username (like `john`), not your full `@<username>:<your-domain>` identifier.
+
+**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot.<domain>/`.
+
+If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)):
+
+	docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
+
+and then connecting to the postgres server and executing:
+
+	UPDATE users SET password_hash = '<password-hash>' WHERE name = '@someone:server.com'
+
+where `<password-hash>` is the hash returned by the docker command above.
diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers
index 6f104892..44318970 100755
--- a/group_vars/matrix-servers
+++ b/group_vars/matrix-servers
@@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
 # your own configuration in `matrix_mxisd_configuration_extension_yaml`.
 matrix_mxisd_synapsesql_enabled: true
 matrix_mxisd_synapsesql_type: postgresql
-matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }}
+matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}
 
 matrix_mxisd_dns_overwrite_enabled: true
 matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml
index 86369408..ab38084b 100644
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -48,6 +48,7 @@ run_import_postgres: true
 run_upgrade_postgres: true
 run_start: true
 run_register_user: true
+run_update_user_password: true
 run_import_sqlite_db: true
 run_import_media_store: true
 run_self_check: true
diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml
index f4a8352f..1aadfb12 100644
--- a/roles/matrix-base/tasks/setup_server_base.yml
+++ b/roles/matrix-base/tasks/setup_server_base.yml
@@ -68,7 +68,7 @@
 
 - name: Ensure Docker is started and autoruns
   service:
-    name: docker 
+    name: docker
     state: started
     enabled: yes
 
diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
index e3b0d767..120f9c97 100644
--- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"m.homeserver": {
 		"base_url": "{{ matrix_homeserver_url }}"
diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
index a8e19167..de0f5722 100644
--- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"m.server": "{{ matrix_server_fqn_matrix }}:8448"
 }
diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
index 9fad37d9..ac810595 100644
--- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
+++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
 if [ "$(id -u)" != "0" ]; then
diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml
index a1406f03..09bdbb56 100644
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@@ -6,6 +6,9 @@ matrix_corporal_enabled: true
 # Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
 matrix_corporal_container_expose_ports: false
 
+# A list of extra arguments to pass to the container
+matrix_corporal_container_extra_arguments: []
+
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']
 
diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2
index 378b2c19..e2333bcc 100644
--- a/roles/matrix-corporal/templates/config.json.j2
+++ b/roles/matrix-corporal/templates/config.json.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {
 	"Matrix": {
 		"HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}",
diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
index 4035aa65..74de9680 100644
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Corporal
 {% for service in matrix_corporal_systemd_required_services_list %}
@@ -22,6 +23,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
 			-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
 			-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \
 			-v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \
+			{% for arg in matrix_corporal_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_corporal_docker_image }} \
 			/matrix-corporal -config=/etc/matrix-corporal/config.json
 ExecStop=-/usr/bin/docker kill matrix-corporal
diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml
index b70c4058..b12cabe7 100644
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -23,6 +23,9 @@ matrix_coturn_systemd_required_services_list: ['docker.service']
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
 matrix_coturn_container_additional_volumes: []
 
+# A list of extra arguments to pass to the container
+matrix_coturn_container_extra_arguments: []
+
 # A shared secret (between Synapse and Coturn) used for authentication.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_coturn_turn_static_auth_secret: ""
diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
index b2d909f2..e288c0e5 100644
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Coturn server
 {% for service in matrix_coturn_systemd_required_services_list %}
@@ -27,6 +28,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			{% for volume in matrix_coturn_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_coturn_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_coturn_docker_image }} \
 			-c /turnserver.conf
 
diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2
index 2bf7649c..3fcf0b67 100644
--- a/roles/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/matrix-coturn/templates/turnserver.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
 realm=turn.{{ matrix_server_fqn_matrix }}
diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml
index 43841fee..bae6aa10 100644
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@@ -20,6 +20,9 @@ matrix_dimension_user_gid: 1000
 
 matrix_dimension_container_expose_port: false
 
+# A list of extra arguments to pass to the container
+matrix_dimension_container_extra_arguments: []
+
 matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
 matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
@@ -31,6 +34,7 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di
 # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_dimension_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
   # The web settings for the service (API and UI).
   # It is best to have this run on localhost and use a reverse proxy to access Dimension.
   web:
@@ -125,5 +129,3 @@ matrix_dimension_configuration_extension_yaml: |
 # Holds the final Dimension configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`.
 matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml|from_yaml|combine(matrix_dimension_configuration_extension, recursive=True) }}"
-
-
diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
index 12f111f3..bd04be18 100644
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Dimension
 After=docker.service
@@ -19,6 +20,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			-p 127.0.0.1:8184:8184 \
 			{% endif %}
 			-v {{ matrix_dimension_base_path }}:/data:rw \
+			{% for arg in matrix_dimension_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_dimension_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-dimension
 ExecStop=-/usr/bin/docker rm matrix-dimension
diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml
index ffd00e36..184fd3cc 100644
--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@@ -9,6 +9,9 @@ matrix_mailer_docker_image: "devture/exim-relay:4.91-r3-0"
 matrix_mailer_container_user_uid: 100
 matrix_mailer_container_user_gid: 101
 
+# A list of extra arguments to pass to the container
+matrix_mailer_container_extra_arguments: []
+
 matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
 matrix_mailer_relay_use: false
 matrix_mailer_relay_host_name: "mail.example.com"
diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2
index 7765b8f9..180bc500 100644
--- a/roles/matrix-mailer/templates/env-mailer.j2
+++ b/roles/matrix-mailer/templates/env-mailer.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 {% if matrix_mailer_relay_use %}
 SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }}
 {% endif %}
diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
index f9e1348e..9b07f6c7 100644
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix mailer
 After=docker.service
@@ -16,6 +17,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_mailer_base_path }}/env-mailer \
 			--hostname={{ matrix_server_fqn_matrix }} \
+			{% for arg in matrix_mailer_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_mailer_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-mailer
 ExecStop=-/usr/bin/docker rm matrix-mailer
diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml
index caaccfd0..dd9e8b71 100644
--- a/roles/matrix-mxisd/defaults/main.yml
+++ b/roles/matrix-mxisd/defaults/main.yml
@@ -8,6 +8,9 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
 # Controls whether the mxisd web server's port (`8090`) is exposed outside of the container.
 matrix_mxisd_container_expose_port: false
 
+# A list of extra arguments to pass to the container
+matrix_mxisd_container_extra_arguments: []
+
 # List of systemd services that matrix-mxisd.service depends on
 matrix_mxisd_systemd_required_services_list: ['docker.service']
 
@@ -64,6 +67,7 @@ matrix_mxisd_self_check_validate_certificates: true
 # For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mxisd_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
   matrix:
     domain: {{ matrix_domain }}
 
diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
index de0c0681..d30ba718 100644
--- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
+++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix mxisd Identity server
 {% for service in matrix_mxisd_systemd_required_services_list %}
@@ -27,6 +28,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
 			{% endif %}
 			-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
 			-v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \
+			{% for arg in matrix_mxisd_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_mxisd_docker_image }}
 
 ExecStop=-/usr/bin/docker kill matrix-mxisd
diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 6798f841..48268d47 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -21,6 +21,9 @@ matrix_nginx_proxy_systemd_wanted_services_list: []
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
 matrix_nginx_proxy_container_additional_volumes: []
 
+# A list of extra arguments to pass to the container
+matrix_nginx_proxy_container_extra_arguments: []
+
 # Controls whether matrix-nginx-proxy should serve the base domain.
 #
 # This is useful for when you only have your Matrix server, but you need to serve
@@ -66,6 +69,13 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
 
+# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
+# This allows another service to control registrations involving 3PIDs.
+# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md
+matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
+matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090"
+matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
+
 # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
index 1886496b..dbfe96ce 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
index f33d6959..27d2f297 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_base_domain_hostname }};
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
index 661a5f31..4a97ebfa 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
index 00e7a1be..d927f373 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
@@ -102,6 +103,23 @@ server {
 	}
 	{% endif %}
 
+	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
+	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+	{% endif %}
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
index ed171cfa..290e1a98 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # The default is aligned to the CPU's cache size,
 # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot).
 #
diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
index 27cf298f..1a7247ac 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
@@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 # User and password for protecting /_synapse/metrics URI
 prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}
diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
index 3382d6c6..51aa8a00 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # This is a custom nginx configuration file that we use in the container (instead of the default one),
 # because it allows us to run nginx with a non-root user.
 #
diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
index cb2c4da2..1a154c0d 100644
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix nginx-proxy server
 {% for service in matrix_nginx_proxy_systemd_required_services_list %}
@@ -33,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			{% for volume in matrix_nginx_proxy_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_nginx_proxy_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_nginx_proxy_docker_image }}
 
 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
index 7e561017..93306d78 100644
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
 # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml
index 4b26f42d..1729a275 100644
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@@ -12,3 +12,6 @@ matrix_postgres_docker_image_v9: "postgres:9.6.12-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.7-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.2-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"
+
+# A list of extra arguments to pass to the container
+matrix_postgres_container_extra_arguments: []
diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml
index e22e1024..659650db 100644
--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@@ -123,3 +123,10 @@
   debug:
     msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
   when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"
+
+- name: Ensure matrix-postgres-update-user-password-hash script created
+  template:
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
+    dest: "/usr/local/bin/matrix-postgres-update-user-password-hash"
+    mode: 0750
+  when: matrix_postgres_enabled
\ No newline at end of file
diff --git a/roles/matrix-postgres/templates/env-postgres-psql.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2
index c503450a..c61927a3 100644
--- a/roles/matrix-postgres/templates/env-postgres-psql.j2
+++ b/roles/matrix-postgres/templates/env-postgres-psql.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 PGUSER={{ matrix_postgres_connection_username }}
 PGPASSWORD={{ matrix_postgres_connection_password }}
 PGDATABASE={{ matrix_postgres_db_name }}
\ No newline at end of file
diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2
index f9ff4dc3..34f75aee 100644
--- a/roles/matrix-postgres/templates/env-postgres-server.j2
+++ b/roles/matrix-postgres/templates/env-postgres-server.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 POSTGRES_USER={{ matrix_postgres_connection_username }}
 POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
 POSTGRES_DB={{ matrix_postgres_db_name }}
\ No newline at end of file
diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
index 0d2b9fcf..2d1c9118 100644
--- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
+++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Postgres server
 After=docker.service
@@ -18,6 +19,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
 			--env-file={{ matrix_postgres_base_path }}/env-postgres-server \
 			-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \
 			-v /etc/passwd:/etc/passwd:ro \
+			{% for arg in matrix_postgres_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_postgres_docker_image_to_use }}
 ExecStop=-/usr/bin/docker stop matrix-postgres
 ExecStop=-/usr/bin/docker rm matrix-postgres
diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
index 20f9fda2..f8daa6a7 100644
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
 if [ $# -ne 1 ]; then
diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
index 34836629..8f0c4c5b 100644
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
 docker run \
diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
new file mode 100644
index 00000000..d950ce97
--- /dev/null
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
@@ -0,0 +1,16 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <password_hash>"
+	exit 1
+fi
+
+docker run \
+	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
+	--network {{ matrix_docker_network }} \
+	{{ matrix_postgres_docker_image_to_use }} \
+	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'"
diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml
index e17663b0..10c5773a 100644
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@@ -6,6 +6,9 @@ matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
 
 matrix_riot_web_container_expose_port: false
 
+# A list of extra arguments to pass to the container
+matrix_riot_web_container_extra_arguments: []
+
 # List of systemd services that matrix-riot-web.service depends on
 matrix_riot_web_systemd_required_services_list: ['docker.service']
 
diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2
index 477fe4da..92753a15 100644
--- a/roles/matrix-riot-web/templates/config.json.j2
+++ b/roles/matrix-riot-web/templates/config.json.j2
@@ -1,23 +1,24 @@
+#jinja2: lstrip_blocks: "True"
 {
-	"default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }},
-	"default_is_url": {{ matrix_riot_web_default_is_url|to_json }},
+	"default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }},
+	"default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }},
 	"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
 	"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
 	"brand": "Riot",
-	"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }},
-	"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }},
+	"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|string|to_json }},
+	"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|string|to_json }},
 	"integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }},
-	"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }},
+	"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|string|to_json }},
 	"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
 	"enableLabs": true,
 	"roomDirectory": {
 		"servers": {{ matrix_riot_web_roomdir_servers|to_json }}
 	},
-	"welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }},
+	"welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }},
 	{% if matrix_riot_web_enable_presence_by_hs_url is not none %}
 		"enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }},
 	{% endif %}
 	"embeddedPages": {
-		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }}
+		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }}
 	}
 }
diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-riot-web/templates/nginx.conf.j2
index 84789954..fba16bbd 100644
--- a/roles/matrix-riot-web/templates/nginx.conf.j2
+++ b/roles/matrix-riot-web/templates/nginx.conf.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # This is a custom nginx configuration file that we use in the container (instead of the default one),
 # because it allows us to run nginx with a non-root user.
 #
diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
index 06f60cc5..63a6c7a6 100644
--- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
+++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix riot-web server
 {% for service in matrix_riot_web_systemd_required_services_list %}
@@ -26,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
 			{% endif %}
 			-v {{ matrix_riot_web_data_path }}/welcome.html:/etc/riot-web/welcome.html:ro \
+			{% for arg in matrix_riot_web_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_riot_web_docker_image }}
 ExecStop=-/usr/bin/docker kill matrix-riot-web
 ExecStop=-/usr/bin/docker rm matrix-riot-web
diff --git a/roles/matrix-riot-web/templates/welcome.html.j2 b/roles/matrix-riot-web/templates/welcome.html.j2
index 6456e947..319f9795 100644
--- a/roles/matrix-riot-web/templates/welcome.html.j2
+++ b/roles/matrix-riot-web/templates/welcome.html.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 <style type="text/css">
 
 /* we deliberately inline style here to avoid flash-of-CSS problems, and to avoid
diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml
index ee454b5a..b5be97d3 100644
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -1,4 +1,4 @@
-matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3-py3"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.2"
 
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
@@ -24,6 +24,9 @@ matrix_appservice_discord_container_expose_client_server_api_port: false
 # Controls whether the matrix-synapse container exposes the metrics port (tcp/9100).
 matrix_synapse_container_expose_metrics_port: false
 
+# A list of extra arguments to pass to the container
+matrix_synapse_container_extra_arguments: []
+
 # List of systemd services that matrix-synapse.service depends on
 matrix_synapse_systemd_required_services_list: ['docker.service']
 
@@ -111,6 +114,9 @@ matrix_synapse_use_presence: true
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false
 
+# A list of 3PID types which users must supply when registering (possible values: email, msisdn).
+matrix_synapse_registrations_require_3pid: []
+
 # Users who register on this homeserver will automatically be joined to these rooms.
 # Rooms are to be specified using addresses (e.g. `#address:example.com`)
 matrix_synapse_auto_join_rooms: []
@@ -258,6 +264,18 @@ matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
 
 matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
 
+# Matrix mautrix is a Matrix <-> Facebook bridge
+# Enable facebook bridge
+matrix_mautrix_facebook_enabled: false
+
+matrix_mautrix_facebook_docker_image: "tulir/mautrix-facebook:latest"
+
+matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
+
+# Get your own API keys at https://developers.facebook.com/docs/apis-and-sdks/
+matrix_mautrix_facebook_api_id: YOUR_FACEBOOK_APP_ID
+matrix_mautrix_facebook_api_hash: YOUR_FACEBOOK_API_HASH
+
 # Matrix Appservice IRC is a Matrix <-> IRC bridge
 # Enable IRC bridge
 matrix_appservice_irc_enabled: false
@@ -267,6 +285,7 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
 
 matrix_appservice_irc_configuration_yaml: |
+  #jinja2: lstrip_blocks: True
   homeserver:
     url: "https://{{ matrix_server_fqn_matrix }}"
     domain: "{{ matrix_domain }}"
diff --git a/roles/matrix-synapse/tasks/ext/init.yml b/roles/matrix-synapse/tasks/ext/init.yml
index aa19ef6e..9ebaf5e2 100644
--- a/roles/matrix-synapse/tasks/ext/init.yml
+++ b/roles/matrix-synapse/tasks/ext/init.yml
@@ -4,6 +4,8 @@
 
 - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml"
 
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-facebook/init.yml"
+
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/init.yml"
 
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/init.yml"
diff --git a/roles/matrix-synapse/tasks/ext/mautrix-facebook/init.yml b/roles/matrix-synapse/tasks/ext/mautrix-facebook/init.yml
new file mode 100644
index 00000000..3c23eb99
--- /dev/null
+++ b/roles/matrix-synapse/tasks/ext/mautrix-facebook/init.yml
@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}"
+  when: matrix_mautrix_facebook_enabled
diff --git a/roles/matrix-synapse/tasks/ext/mautrix-facebook/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-facebook/setup.yml
new file mode 100644
index 00000000..2c13886a
--- /dev/null
+++ b/roles/matrix-synapse/tasks/ext/mautrix-facebook/setup.yml
@@ -0,0 +1,101 @@
+---
+
+- name: Ensure Mautrix Facebook image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_facebook_docker_image }}"
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure Mautrix Facebook configuration path exists
+  file:
+    path: "{{ matrix_mautrix_facebook_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Check if a mautrix-facebook configuration file exists
+  stat:
+    path: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+  register: mautrix_facebook_config_file_stat
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure Matrix Mautrix facebook config installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-facebook/config.yaml.j2"
+    dest: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_facebook_enabled and not mautrix_facebook_config_file_stat.stat.exists"
+
+- name: (Migration) Fix up old configuration
+  lineinfile:
+    path: "{{ matrix_mautrix_facebook_base_path }}/config.yaml"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    backrefs: yes
+  with_items:
+    - {'regexp': '^(\s+)filename: \./mautrix-facebook.log', 'line': '\1filename: /data/mautrix-facebook.log'}
+    - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-facebook.db'}
+  when: "matrix_mautrix_facebook_enabled and mautrix_facebook_config_file_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-facebook.service installed
+  template:
+    src: "{{ role_path }}/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2"
+    dest: "/etc/systemd/system/matrix-mautrix-facebook.service"
+    mode: 0644
+  register: matrix_mautrix_facebook_systemd_service_result
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_systemd_service_result.changed"
+
+- name: Check if a mautrix-facebook registration file exists
+  stat:
+    path: "{{ matrix_mautrix_facebook_base_path }}/registration.yaml"
+  register: mautrix_facebook_registration_file_stat
+  when: "matrix_mautrix_facebook_enabled"
+
+- name: Generate matrix-mautrix-facebook registration.yaml if it doesn't exist
+  shell:
+    cmd: >-
+      /usr/bin/docker run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --name matrix-mautrix-facebook-gen
+      -v {{ matrix_mautrix_facebook_base_path }}:/data:z
+      {{ matrix_mautrix_facebook_docker_image }}
+      python3 -m mautrix_facebook -g -c /data/config.yaml -r /data/registration.yaml
+  when: "matrix_mautrix_facebook_enabled and not mautrix_facebook_registration_file_stat.stat.exists"
+
+- set_fact:
+    matrix_synapse_app_service_config_file_mautrix_facebook: '/app-registration/mautrix-facebook.yml'
+  when: "matrix_mautrix_facebook_enabled"
+
+- set_fact:
+    matrix_synapse_container_additional_volumes: >
+      {{ matrix_synapse_container_additional_volumes }}
+      +
+      {{ [{'src': '{{ matrix_mautrix_facebook_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_facebook }}', 'options': 'ro'}] }}
+  when: "matrix_mautrix_facebook_enabled"
+
+- set_fact:
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files }}
+      +
+      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_facebook }}"] | to_nice_json  }}
+  when: "matrix_mautrix_facebook_enabled"
+
+#
+# Tasks related to getting rid of matrix-mautrix-facebook (if it was previously enabled)
+#
+
+- name: Ensure matrix-mautrix-facebook.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mautrix-facebook.service"
+    state: absent
+  when: "not matrix_mautrix_facebook_enabled"
diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml
index fe113281..3b2a61ce 100644
--- a/roles/matrix-synapse/tasks/ext/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/setup.yml
@@ -10,6 +10,8 @@
 
 - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml"
 
+- import_tasks: "{{ role_path }}/tasks/ext/mautrix-facebook/setup.yml"
+
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/setup.yml"
 
 - import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/setup.yml"
diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml
index 1049cb5f..058cf05f 100644
--- a/roles/matrix-synapse/tasks/main.yml
+++ b/roles/matrix-synapse/tasks/main.yml
@@ -37,3 +37,8 @@
   when: run_self_check
   tags:
     - self-check
+
+- import_tasks: "{{ role_path }}/tasks/update_user_password.yml"
+  when: run_update_user_password
+  tags:
+    - update-user-password
\ No newline at end of file
diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml
new file mode 100644
index 00000000..d28adfb4
--- /dev/null
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Fail if not using matrix-postgres container
+  fail:
+    msg: "This command is working only when matrix-postgres container is being used"
+  when: "not matrix_postgres_enabled"
+
+- name: Ensure matrix-synapse is started
+  service:
+    name: matrix-synapse
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: postgres_start_result
+
+
+- name: Wait a while, so that Matrix Synapse can manage to start
+  pause:
+    seconds: 7
+  when: start_result.changed
+
+- name: Wait a while, so that Matrix Postgres can manage to start
+  pause:
+    seconds: 7
+  when: postgres_start_result.changed
+
+- name: Generate password hash
+  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}"
+  register: password_hash
+
+- name: Update user password hash
+  shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'"
diff --git a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2
index af91b185..d34385ab 100644
--- a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Appservice Discord server
 After=docker.service
diff --git a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
index 1b5b4fc0..5e5e7cd5 100644
--- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Appservice IRC server
 After=docker.service
diff --git a/roles/matrix-synapse/templates/ext/mautrix-facebook/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-facebook/config.yaml.j2
new file mode 100644
index 00000000..714449f6
--- /dev/null
+++ b/roles/matrix-synapse/templates/ext/mautrix-facebook/config.yaml.j2
@@ -0,0 +1,109 @@
+#jinja2: lstrip_blocks: "True"
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: https://{{ matrix_server_fqn_matrix }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix_domain }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: http://matrix-mautrix-facebook:8080
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 8080
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. SQLite and Postgres are fully supported.
+    # Other DBMSes supported by SQLAlchemy may or may not work.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
+    database: sqlite:////data/mautrix-facebook.db
+
+    # The unique ID of this appservice.
+    id: facebook
+    # Username of the appservice bot.
+    bot_username: facebookbot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Facebook bridge bot
+    bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "This value is generated when generating the registration"
+    hs_token: "This value is generated when generating the registration"
+
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Facebook users.
+    # {userid} is replaced with the user ID of the Facebook user.
+    username_template: "facebook_{userid}"
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!fb"
+
+    # Number of chats to sync (and create portals for) on startup/login.
+    # Maximum 20, set 0 to disable automatic syncing.
+    initial_chat_sync: 10
+    # Whether or not the Facebook users of logged in Matrix users should be
+    # invited to private chats when the user sends a message from another client.
+    invite_own_puppet_to_pm: false
+    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
+    # your own Matrix account as the Matrix puppet for your Facebook account.
+    sync_with_custom_puppets: true
+    # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
+    # presence, but then it won't send other users' presence to the client.
+    presence: true
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+        '{{ matrix_domain }}': user
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_facebook.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        file:
+            class: logging.handlers.RotatingFileHandler
+            formatter: normal
+            filename: /data/mautrix-facebook.log
+            maxBytes: 10485760
+            backupCount: 10
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: DEBUG
+        fbchat:
+            level: DEBUG
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [file, console]
diff --git a/roles/matrix-synapse/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2
new file mode 100644
index 00000000..ec5ffadb
--- /dev/null
+++ b/roles/matrix-synapse/templates/ext/mautrix-facebook/systemd/matrix-mautrix-facebook.service.j2
@@ -0,0 +1,34 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Facebook server
+After=docker.service
+Requires=docker.service
+Requires=matrix-synapse.service
+After=matrix-synapse.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-mautrix-facebook
+ExecStartPre=-/usr/bin/docker rm matrix-mautrix-facebook
+ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			-v {{ matrix_mautrix_facebook_base_path }}:/data:z \
+			{{ matrix_mautrix_facebook_docker_image }} \
+			alembic -x config=/data/config.yaml upgrade head
+ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_facebook_base_path }}:/data:z \
+			{{ matrix_mautrix_facebook_docker_image }} \
+			python3 -m mautrix_facebook -c /data/config.yaml
+ExecStop=-/usr/bin/docker kill matrix-mautrix-facebook
+ExecStop=-/usr/bin/docker rm matrix-mautrix-facebook
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
index 638f3e0e..3fb7796a 100644
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # Homeserver details
 homeserver:
     # The address that this appservice can use to connect to the homeserver.
diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
index 54d0d84f..8b162f8c 100644
--- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mautrix Telegram server
 After=docker.service
diff --git a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2
index 15d9bbe6..d8561897 100644
--- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # Homeserver details.
 homeserver:
   # The address that this appservice can use to connect to the homeserver.
diff --git a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
index bb4194aa..d05f73e2 100644
--- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mautrix Whatsapp server
 After=docker.service
diff --git a/roles/matrix-synapse/templates/goofys/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2
index dd47a548..2955efdd 100644
--- a/roles/matrix-synapse/templates/goofys/env-goofys.j2
+++ b/roles/matrix-synapse/templates/goofys/env-goofys.j2
@@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }}
 AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }}
diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
index e5fd8738..0ed1220e 100644
--- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
+++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Goofys media store
 After=docker.service
diff --git a/roles/matrix-synapse/templates/synapse/env-synapse.j2 b/roles/matrix-synapse/templates/synapse/env-synapse.j2
index 69f26700..c0f4b647 100644
--- a/roles/matrix-synapse/templates/synapse/env-synapse.j2
+++ b/roles/matrix-synapse/templates/synapse/env-synapse.j2
@@ -1,2 +1,3 @@
+#jinja2: lstrip_blocks: "True"
 SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
 SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }}
diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
index c5edf9b1..acc4f94b 100644
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 # vim:ft=yaml
 
 ## Server ##
@@ -358,8 +359,8 @@ database:
   # The database engine name
   name: "psycopg2"
   args:
-    user: {{ matrix_synapse_database_user|to_json }}
-    password: {{ matrix_synapse_database_password|to_json }}
+    user: {{ matrix_synapse_database_user|string|to_json }}
+    password: {{ matrix_synapse_database_password|string|to_json }}
     database: "{{ matrix_synapse_database_database }}"
     host: "{{ matrix_synapse_database_host }}"
     cp_min: 5
@@ -521,9 +522,10 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
 #    height: 600
 #    method: scale
 
-# Is the preview URL API enabled?  If enabled, you *must* specify
-# an explicit url_preview_ip_range_blacklist of IPs that the spider is
-# denied from accessing.
+# Is the preview URL API enabled?
+#
+# 'false' by default: uncomment the following to enable it (and specify a
+# url_preview_ip_range_blacklist blacklist).
 #
 url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }}
 
@@ -534,7 +536,13 @@ url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }}
 # to connect to, otherwise anyone in any Matrix room could cause your
 # synapse to issue arbitrary GET requests to your internal services,
 # causing serious security issues.
-
+#
+# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
+# listed here, since they correspond to unroutable addresses.)
+#
+# This must be specified if url_preview_enabled is set. It is recommended that
+# you uncomment the following list as a starting point.
+#
 url_preview_ip_range_blacklist:
   - '127.0.0.0/8'
   - '10.0.0.0/8'
@@ -628,7 +636,7 @@ turn_uris: {{ matrix_synapse_turn_uris|to_json }}
 
 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }}
+turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }}
 
 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -663,6 +671,9 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #registrations_require_3pid:
 #  - email
 #  - msisdn
+{% if matrix_synapse_registrations_require_3pid %}
+registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }}
+{% endif %}
 
 # Explicitly disable asking for MSISDNs from the registration
 # flow (overrides registrations_require_3pid if MSISDNs are set as required)
@@ -683,7 +694,7 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }}
+registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }}
 
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@@ -784,7 +795,7 @@ app_service_config_files: {{ matrix_synapse_app_service_config_files }}
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }}
+macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }}
 
 # Used to enable access token expiration.
 #
@@ -794,7 +805,7 @@ macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }}
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
-form_secret: {{ matrix_synapse_form_secret|to_json }}
+form_secret: {{ matrix_synapse_form_secret|string|to_json }}
 
 ## Signing Keys ##
 
@@ -899,7 +910,7 @@ password_config:
    # Uncomment and change to a secret random string for extra security.
    # DO NOT CHANGE THIS AFTER INITIAL SETUP!
    #
-   pepper: {{ matrix_synapse_password_config_pepper|to_json }}
+   pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
 
 
 
@@ -914,15 +925,15 @@ password_config:
 {% if matrix_synapse_email_enabled %}
 email:
    enable_notifs: true
-   smtp_host: {{ matrix_synapse_email_smtp_host|to_json }}
+   smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
    smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
    require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
-   notif_from: {{ matrix_synapse_email_notif_from|to_json }}
+   notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
    app_name: Matrix
    notif_template_html: notif_mail.html
    notif_template_text: notif_mail.txt
    notif_for_new_users: True
-   riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }}
+   riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }}
 {% endif %}
 
 
@@ -945,12 +956,12 @@ password_providers:
 {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %}
   - module: "shared_secret_authenticator.SharedSecretAuthenticator"
     config:
-      sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|to_json }}
+      sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
 {% endif %}
 {% if matrix_synapse_ext_password_provider_rest_auth_enabled %}
   - module: "rest_auth_provider.RestAuthProvider"
     config:
-      endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|to_json }}
+      endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }}
       policy:
         registration:
           username:
@@ -965,16 +976,16 @@ password_providers:
   - module: "ldap_auth_provider.LdapAuthProvider"
     config:
       enabled: true
-      uri: {{ matrix_synapse_ext_password_provider_ldap_uri|to_json }}
-      start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }}
-      base: {{ matrix_synapse_ext_password_provider_ldap_base|to_json }}
+      uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }}
+      start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|string|to_json }}
+      base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }}
       attributes:
-        uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|to_json }}
-        mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|to_json }}
-        name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|to_json }}
-      bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|to_json }}
-      bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|to_json }}
-      filter: {{ matrix_synapse_ext_password_provider_ldap_filter|to_json }}
+        uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }}
+        mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }}
+        name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }}
+      bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }}
+      bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }}
+      filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }}
 {% endif %}
 {% endif %}
 
diff --git a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2
index 59fc9c80..732c4c1d 100644
--- a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2
+++ b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 
 version: 1
 
diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
index fe8d0c8a..987e657e 100644
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Synapse server
 {% for service in matrix_synapse_systemd_required_services_list %}
@@ -46,6 +47,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
+			{% for arg in matrix_synapse_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
 			{{ matrix_synapse_docker_image }} \
 			-m synapse.app.homeserver -c /data/homeserver.yaml
 
diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2
index f0846334..fd95893f 100644
--- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2
+++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2
@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
 if [ $# -ne 3 ]; then