Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

6 years ago · 4b657b3822
parent 0cfa73f153 45140dca02
commit 4b657b3822
50 changed files with 295 additions and 173 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,38 @@
+# 2019-05-25
+
+## Support for exposing container ports publicly (not just to the host)
+
+Until now, various roles supported a `matrix_*_expose_port` variable, which would expose their container's port to the host. This was mostly useful for reverse-proxying manually (in case `matrix-nginx-proxy` was disabled). It could also be used for installing some playbook services (e.g. bridges, etc.) and wiring them to a separate (manual) Matrix setup.
+
+`matrix_*_expose_port` variables were not granular enough - sometimes they would expose one port, other times multiple. They also didn't provide control over **where** to expose (to which port number and to which network interface), because they would usually hardcode something like `127.0.0.1:8080`.
+
+All such variables have been superseded by a better (more flexible) way to do it.
+
+**Most** people (including those not using `matrix-nginx-proxy`), **don't need** to bother with this.
+
+Porting examples follow for people having more customized setups:
+
+- **from** `matrix_synapse_container_expose_client_api_port: true` **to** `matrix_synapse_container_client_api_host_bind_port: '127.0.0.1:8008'`
+
+- **from** `matrix_synapse_container_expose_federation_api_port: true` **to** `matrix_synapse_container_federation_api_plain_host_bind_port: '127.0.0.1:8048'` and possibly `matrix_synapse_container_federation_api_tls_host_bind_port: '8448'`
+
+- **from** `matrix_synapse_container_expose_metrics_port: true` **to** `matrix_synapse_container_metrics_api_host_bind_port: '127.0.0.1:9100'`
+
+- **from** `matrix_riot_web_container_expose_port: true` **to** `matrix_riot_web_container_http_host_bind_port: '127.0.0.1:8765'`
+
+- **from** `matrix_mxisd_container_expose_port: true` **to** `matrix_mxisd_container_http_host_bind_port: '127.0.0.1:8090'`
+
+- **from** `matrix_dimension_container_expose_port: true` **to** `matrix_dimension_container_http_host_bind_port: '127.0.0.1:8184'`
+
+- **from** `matrix_corporal_container_expose_ports: true` **to** `matrix_corporal_container_http_gateway_host_bind_port: '127.0.0.1:41080'` and possibly `matrix_corporal_container_http_api_host_bind_port: '127.0.0.1:41081'`
+
+- **from** `matrix_appservice_irc_container_expose_client_server_api_port: true` **to** `matrix_appservice_irc_container_http_host_bind_port: '127.0.0.1:9999'`
+
+- **from** `matrix_appservice_discord_container_expose_client_server_api_port: true` **to** `matrix_appservice_discord_container_http_host_bind_port: '127.0.0.1:9005'`
+
+As always, if you forget to remove usage of some outdated variable, the playbook will warn you.
+
+
 # 2019-05-23

 ## Ansible 2.8 compatibility
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -9,7 +9,7 @@ For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work,
 Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.

 ## Enable
-[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_dimension_enabled: true
@ -18,7 +18,7 @@ matrix_dimension_enabled: true

 ## Define admin users
 These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon.
-Add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com']
@ -37,7 +37,7 @@ To get an access token, follow these steps:

 **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**

-Add access token to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+Add access token to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"
--- a/docs/configuring-playbook-external-postgres.md
+++ b/docs/configuring-playbook-external-postgres.md
@ -3,7 +3,7 @@
 By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container.
 If that's alright, you can skip this.

-If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file  (`inventory/matrix.<your-domain>/vars.yml`).
+If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file  (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
 It should be something like this:

 ```yaml
--- a/docs/configuring-playbook-federation.md
+++ b/docs/configuring-playbook-federation.md
@ -6,7 +6,7 @@ That is, people on your server can communicate with people on any other Matrix s

 ## Federating only with select servers

-To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_synapse_federation_domain_whitelist:
@ -19,10 +19,10 @@ If you wish to disable federation, you can do that with an empty list (`[]`), or

 ## Disabling federation

-To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_synapse_federation_enabled: false
 ```

-With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
+With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -13,13 +13,13 @@ No matter which external webserver you decide to go with, you'll need to:

 1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`

-2) Edit your configuration file (`inventory/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server:
+2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server:

 ```yaml
 matrix_nginx_proxy_enabled: false
 ```

-3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:
+3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:

 ```yaml
 matrix_ssl_retrieval_method: none
--- a/docs/configuring-playbook-s3.md
+++ b/docs/configuring-playbook-s3.md
@ -29,7 +29,7 @@ You'll need an Amazon S3 bucket and some IAM user credentials (access key + secr
 }
 ```

-You then need to enable S3 support in your configuration file (`inventory/matrix.<your-domain>/vars.yml`).
+You then need to enable S3 support in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
 It would be something like this:

 ```yaml
--- a/docs/howto-server-delegation.md
+++ b/docs/howto-server-delegation.md
@ -89,10 +89,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/
 If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container:

 ```yaml
-matrix_nginx_proxy_container_additional_volumes:
-  - src: /some/path/on/the/host
-    dst: /some/path/inside/the/container
-    options: ro
+matrix_synapse_container_extra_arguments:
+  - "--mount type-bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
 ```

 You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`.
@ -118,10 +116,8 @@ Make sure to reload/restart your webserver once in a while, so that newer certif
 To do that, make sure the certificate files are mounted into the Synapse container:

 ```yaml
-matrix_synapse_container_additional_volumes:
-  - src: /some/path/on/the/host
-    dst: /some/path/inside/the/container
-    options: ro
+matrix_synapse_container_extra_arguments:
+  - "--mount type-bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
 ```

 You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`:
--- a/examples/apache/README.md
+++ b/examples/apache/README.md
@ -6,7 +6,7 @@ This is for when you wish to have your own Apache webserver sitting in front of
 See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.

 To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
-You do that with the following custom configuration (`inventory/matrix.<your-domain>/vars.yml`):
+You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_nginx_proxy_enabled: false
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -36,8 +36,8 @@ matrix_appservice_discord_enabled: false

 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`).
-matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
+# matrix-appservice-discord's client-server port to the local host.
+matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"

 matrix_appservice_discord_systemd_required_services_list: |
  {{
@ -64,8 +64,8 @@ matrix_appservice_irc_enabled: false

 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`).
-matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
+# matrix-appservice-irc's client-server port to the local host.
+matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}"

 matrix_appservice_irc_systemd_required_services_list: |
  {{
@ -122,6 +122,8 @@ matrix_mautrix_telegram_systemd_required_services_list: |

 matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"

+matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-telegram
@ -162,8 +164,9 @@ matrix_corporal_enabled: false

 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
-matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
+# matrix-corporal's web-server ports to the local host.
+matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}"
+matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}"

 matrix_corporal_systemd_required_services_list: |
  {{
@ -222,8 +225,8 @@ matrix_dimension_enabled: false

 # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# the Dimension HTTP port to the local host (`127.0.0.1:8184`).
-matrix_dimension_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
+# the Dimension HTTP port to the local host.
+matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}"

 ######################################################################
 #
@ -264,8 +267,8 @@ matrix_mxisd_enabled: true

 # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# mxisd's web-server port to the local host (`127.0.0.1:8090`).
-matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
+# mxisd's web-server port.
+matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"

 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
@ -408,8 +411,8 @@ matrix_riot_web_enabled: true

 # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
-# the riot-web HTTP port to the local host (`127.0.0.1:80`).
-matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
+# the riot-web HTTP port to the local host.
+matrix_riot_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}"

 matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}"
 matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}"
@ -449,15 +452,20 @@ matrix_riot_web_enable_presence_by_hs_url: |
 matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
-# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports
-# to the local host.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
+# you can expose Synapse's ports to the host.
 #
-# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`).
-matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}"
-# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`).
-matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}"
-
-matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}"
+# For exposing the Matrix Client API's port (plain HTTP) to the local host.
+matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
+#
+# For exposing the Matrix Federation API's plain port (plain HTTP) to the local host.
+matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
+#
+# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
+matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
+#
+# For exposing the Synapse Metrics API's port (plain HTTP) to the local host.
+matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}"

 matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}"
 matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}"
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@ -11,8 +11,10 @@ matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-dis
 matrix_appservice_discord_client_id: ''
 matrix_appservice_discord_bot_token: ''

-# Controls whether the Appservice Discord container exposes the Client/Server API port (tcp/9005).
-matrix_appservice_discord_container_expose_client_server_api_port: false
+# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
+matrix_appservice_discord_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_appservice_discord_container_extra_arguments: []
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@ -61,9 +61,6 @@
    -l discord_bot
  when: "not appservice_discord_registration_file.stat.exists"

- set_fact:
-    matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml'
-
 - name: Check if a matrix-appservice-discord invite_link file exists
  stat:
    path: "{{ matrix_appservice_discord_base_path }}/invite_link"
@ -82,12 +79,12 @@

 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes|default([]) }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_appservice_discord_base_path }}/discord-registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_discord }}', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_appservice_discord_base_path }}/discord-registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
-      {{ ["{{ matrix_synapse_app_service_config_file_appservice_discord }}"] | to_nice_json  }}
+      {{ ["/matrix-appservice-discord-registration.yaml"] }}
--- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml
@ -8,3 +8,12 @@
  with_items:
    - "matrix_appservice_discord_client_id"
    - "matrix_appservice_discord_bot_token"
+
+- name: (Deprecation) Catch and report renamed appservice-discord variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_appservice_discord_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_discord_container_http_host_bind_port>'}
--- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_appservice_discord_container_expose_client_server_api_port %}
-			-p 127.0.0.1:9005:9005 \
+			{% if matrix_appservice_discord_container_http_host_bind_port %}
+			-p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \
 			{% endif %}
 			-v {{ matrix_appservice_discord_base_path }}:/data \
 			{% for arg in matrix_appservice_discord_container_extra_arguments %}
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -7,8 +7,10 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"

 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"

-# Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999).
-matrix_appservice_irc_container_expose_client_server_api_port: false
+# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
+matrix_appservice_irc_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_appservice_irc_container_extra_arguments: []
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@ -70,20 +70,17 @@
    -l irc_bot
  when: "not appservice_irc_registration_file.stat.exists"

- set_fact:
-    matrix_synapse_app_service_config_file_appservice_irc: '/app-registration/appservice-irc.yml'
-
 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes|default([]) }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_appservice_irc_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_irc }}', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_appservice_irc_base_path }}/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro"] }}

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
-      {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json  }}
+      {{ ["/matrix-appservice-irc-registration.yaml"] }}

 - name: Ensure IRC configuration directory permissions are correct
  file:
--- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml
@ -14,3 +14,11 @@
      You need to define additional configuration in `matrix_appservice_irc_configuration_extension_yaml` or to override `matrix_appservice_irc_configuration`.
  when: "matrix_appservice_irc_configuration.ircService|default(none) is none"

+- name: (Deprecation) Catch and report renamed appservice-irc variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
--- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_appservice_irc_container_expose_client_server_api_port %}
-			-p 127.0.0.1:9999:9999 \
+			{% if matrix_appservice_irc_container_http_host_bind_port %}
+			-p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
 			{% endif %}
 			-v {{ matrix_appservice_irc_base_path }}:/data:z \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -7,10 +7,6 @@ matrix_mautrix_facebook_docker_image: "tulir/mautrix-facebook:latest"

 matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"

-# Get your own API keys at https://developers.facebook.com/docs/apis-and-sdks/
-matrix_mautrix_facebook_api_id: ''
-matrix_mautrix_facebook_api_hash: ''
-
 matrix_mautrix_facebook_homeserver_address: 'https://{{ matrix_server_fqn_matrix }}'
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:8080'
--- a/roles/matrix-bridge-mautrix-facebook/tasks/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/main.yml
@ -2,12 +2,6 @@
  tags:
    - always

- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
-  when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool"
-  tags:
-    - setup-all
-    - setup-mautrix-facebook
-
 - import_tasks: "{{ role_path }}/tasks/setup_install.yml"
  when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool"
  tags:
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@ -65,17 +65,14 @@
      python3 -m mautrix_facebook -g -c /data/config.yaml -r /data/registration.yaml
  when: "not mautrix_facebook_registration_file_stat.stat.exists"

- set_fact:
-    matrix_synapse_app_service_config_file_mautrix_facebook: '/app-registration/mautrix-facebook.yml'
-
 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes|default([]) }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_mautrix_facebook_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_facebook }}', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_mautrix_facebook_base_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] }}

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
-      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_facebook }}"] | to_nice_json  }}
+      {{ ["/matrix-mautrix-facebook-registration.yaml"] }}
--- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
@ -1,10 +0,0 @@
---
-
- name: Fail if required settings not defined
-  fail:
-    msg: >-
-      You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
-  with_items:
-    - "matrix_mautrix_facebook_api_id"
-    - "matrix_mautrix_facebook_api_hash"
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_mautrix_telegram_enabled: true

-matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.5.1"
+matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.5.2"

 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

@ -21,8 +21,10 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080'
 matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}'

-# Set this to a port number to expose on the host when not using matrix-nginx-proxy
-matrix_mautrix_telegram_container_exposed_port_number: ~
+# Controls whether the matrix-telegram container exposes its HTTP port (tcp/8080 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
+matrix_mautrix_telegram_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_mautrix_telegram_container_extra_arguments: []
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -76,43 +76,40 @@
      python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
  when: "not mautrix_telegram_registration_file_stat.stat.exists"

- set_fact:
-    matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
-
 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes|default([]) }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_mautrix_telegram_base_path }}/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro"] }}

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
-      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json  }}
+      {{ ["/matrix-mautrix-telegram-registration.yaml"] }}

 - block:
  - name: Fail if matrix-nginx-proxy role already executed
    fail:
-      msg: >
+      msg: >-
        Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy,
        but it's pointless since the matrix-nginx-proxy role had already executed.
        To fix this, please change the order of roles in your plabook,
        so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
-    when: matrix_nginx_proxy_role_executed|bool
+    when: matrix_nginx_proxy_role_executed|default(False)|bool

  - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy
    set_fact:
      matrix_mautrix_telegram_matrix_nginx_proxy_configuration: |
        location {{ matrix_mautrix_telegram_public_endpoint }} {
-        {% if matrix_nginx_proxy_enabled %}
+        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	set $backend "matrix-mautrix-telegram:8080";
        	proxy_pass http://$backend;
        {% else %}
        	{# Generic configuration for use outside of our container setup #}
-        	proxy_pass http://127.0.0.1:8080;
+        	proxy_pass http://127.0.0.1:9006;
        {% endif %}
        }

@ -120,20 +117,19 @@
    set_fact:
      matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
        {{
-          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks
+          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
          +
          [matrix_mautrix_telegram_matrix_nginx_proxy_configuration]
        }}
-
-  when: "matrix_nginx_proxy_enabled|default(False)"
  tags:
   - always

 - name: Warn about reverse-proxying if matrix-nginx-proxy not used
  debug:
-    msg: >
+    msg: >-
      NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy
      reverse proxy.
      Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}`
      URL endpoint to the matrix-mautrix-telegram container.
+      You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable.
  when: "matrix_nginx_proxy_enabled is not defined"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml
@ -9,3 +9,12 @@
    - "matrix_mautrix_telegram_api_id"
    - "matrix_mautrix_telegram_api_hash"
    - "matrix_mautrix_telegram_public_endpoint"
+
+- name: (Deprecation) Catch and report renamed Telegram variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': '<superseded by matrix_mautrix_telegram_container_http_host_bind_port>'}
--- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
@ -26,8 +26,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_mautrix_telegram_container_exposed_port_number is not none %}
-			-p 127.0.0.1:{{ matrix_mautrix_telegram_container_exposed_port_number }}:8080 \
+			{% if matrix_mautrix_telegram_container_http_host_bind_port %}
+			-p {{ matrix_mautrix_telegram_container_http_host_bind_port }}:8080 \
 			{% endif %}
 			-v {{ matrix_mautrix_telegram_base_path }}:/data:z \
 			{% for arg in matrix_mautrix_telegram_container_extra_arguments %}
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -65,17 +65,14 @@
      /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
  when: "not mautrix_whatsapp_registration_file_stat.stat.exists"

- set_fact:
-    matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml'
-
 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes|default([]) }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_mautrix_whatsapp_base_path }}/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro"] }}

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
-      {{ ["{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}"] | to_nice_json  }}
+      {{ ["/matrix-mautrix-whatsapp-registration.yaml"] }}
--- a/roles/matrix-common-after/tasks/start.yml
+++ b/roles/matrix-common-after/tasks/start.yml
@ -36,6 +36,6 @@
    msg: >-
      {{ item }} was not detected to be running.
      It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.).
-      Try running `systemctl status {{ item }}` and `systemctl -fu {{ item }}` on the server to investigate.
+      Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
  with_items: "{{ matrix_systemd_services_list }}"
  when: "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'"
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -3,8 +3,15 @@

 matrix_corporal_enabled: true

-# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
-matrix_corporal_container_expose_ports: false
+# Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41080"), or empty string to not expose.
+matrix_corporal_container_http_gateway_host_bind_port: ''
+
+# Controls whether the matrix-corporal container exposes its API HTTP port (tcp/41081 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41081"), or empty string to not expose.
+matrix_corporal_container_http_api_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_corporal_container_extra_arguments: []
--- a/roles/matrix-corporal/tasks/validate_config.yml
+++ b/roles/matrix-corporal/tasks/validate_config.yml
@ -2,7 +2,7 @@

 - name: Fail if required matrix-corporal settings not defined
  fail:
-    msg: >
+    msg: >-
      You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
  when: "vars[item] == ''"
  with_items:
@ -15,3 +15,13 @@
  fail:
    msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
  when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"
+
+
+- name: (Deprecation) Catch and report renamed corporal variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@ -17,9 +17,11 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
 			--cap-drop=ALL \
 			--read-only \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_corporal_container_expose_ports %}
-			-p 127.0.0.1:41080:41080 \
-			-p 127.0.0.1:41081:41081 \
+			{% if matrix_corporal_container_http_gateway_host_bind_port %}
+			-p {{ matrix_corporal_container_http_gateway_host_bind_port }}:41080 \
+			{% endif %}
+			{% if matrix_corporal_container_http_api_host_bind_port %}
+			-p {{ matrix_corporal_container_http_api_host_bind_port }}:41081 \
 			{% endif %}
 			-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
 			-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \
--- a/roles/matrix-coturn/tasks/validate_config.yml
+++ b/roles/matrix-coturn/tasks/validate_config.yml
@ -2,7 +2,7 @@

 - name: Fail if required Coturn settings not defined
  fail:
-    msg: >
+    msg: >-
      You need to define a required configuration setting (`{{ item }}`) for using Coturn.
  when: "vars[item] == ''"
  with_items:
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@ -18,7 +18,10 @@ matrix_dimension_docker_image: "turt2live/matrix-dimension:latest"
 matrix_dimension_user_uid: 1000
 matrix_dimension_user_gid: 1000

-matrix_dimension_container_expose_port: false
+# Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8184"), or empty string to not expose.
+matrix_dimension_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_dimension_container_extra_arguments: []
--- a/roles/matrix-dimension/tasks/validate_config.yml
+++ b/roles/matrix-dimension/tasks/validate_config.yml
@ -13,3 +13,12 @@
  with_items:
    - "matrix_synapse_federation_enabled"
  when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool"
+
+- name: (Deprecation) Catch and report renamed Dimension variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_dimension_container_expose_port', 'new': '<superseded by matrix_dimension_container_http_host_bind_port>'}
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			{% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %}
 			-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
 			{% endif %}
-			{% if matrix_dimension_container_expose_port %}
-			-p 127.0.0.1:8184:8184 \
+			{% if matrix_dimension_container_http_host_bind_port %}
+			-p {{ matrix_dimension_container_http_host_bind_port }}:8184 \
 			{% endif %}
 			-v {{ matrix_dimension_base_path }}:/data:rw \
 			{% for arg in matrix_dimension_container_extra_arguments %}
--- a/roles/matrix-mxisd/defaults/main.yml
+++ b/roles/matrix-mxisd/defaults/main.yml
@ -1,12 +1,17 @@
+# mxisd is a Federated Matrix Identity Server
+# See: https://github.com/kamax-matrix/mxisd
+
 matrix_mxisd_enabled: true

-matrix_mxisd_docker_image: "kamax/mxisd:1.4.3"
+matrix_mxisd_docker_image: "kamax/mxisd:1.4.4"
 matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
 matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
 matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"

-# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container.
-matrix_mxisd_container_expose_port: false
+# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
+matrix_mxisd_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_mxisd_container_extra_arguments: []
--- a/roles/matrix-mxisd/tasks/validate_config.yml
+++ b/roles/matrix-mxisd/tasks/validate_config.yml
@ -45,3 +45,13 @@
  when: "vars[item] == ''"
  with_items:
    - "matrix_mxisd_threepid_medium_email_connectors_smtp_host"
+
+
+- name: (Deprecation) Catch and report renamed mxisd variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mxisd_container_expose_port', 'new': '<superseded by matrix_mxisd_container_http_host_bind_port>'}
--- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
+++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
@ -23,8 +23,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
 			--read-only \
 			--tmpfs=/tmp:rw,exec,nosuid,size=10m \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_mxisd_container_expose_port %}
-			-p 127.0.0.1:8090:8090 \
+			{% if matrix_mxisd_container_http_host_bind_port %}
+			-p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \
 			{% endif %}
 			-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
 			-v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \
--- a/roles/matrix-nginx-proxy/tasks/validate_config.yml
+++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml
@ -2,7 +2,7 @@

 - name: (Deprecation) Catch and report renamed settings
  fail:
-    msg: >
+    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -169,6 +169,25 @@ server {
 	}
 	{% endif %}

+	location /_synapse/admin {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+
+		client_body_buffer_size 25M;
+		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
+		proxy_max_temp_file_size 0;
+	}
+
 	location / {
 		rewrite ^/$ /_matrix/static/ last;
 	}
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@ -1,10 +1,13 @@
 matrix_riot_web_enabled: true

-matrix_riot_web_docker_image: "bubuntux/riot-web:v1.1.2"
+matrix_riot_web_docker_image: "bubuntux/riot-web:v1.2.0"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

-matrix_riot_web_container_expose_port: false
+# Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
+matrix_riot_web_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_riot_web_container_extra_arguments: []
--- a/roles/matrix-riot-web/tasks/validate_config.yml
+++ b/roles/matrix-riot-web/tasks/validate_config.yml
@ -8,9 +8,9 @@
  with_items:
    - "matrix_riot_web_default_hs_url"

- name: (Deprecation) Catch and report renamed settings
+- name: (Deprecation) Catch and report renamed riot-web variables
  fail:
-    msg: >
+    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
@ -20,3 +20,4 @@
    - {'old': 'matrix_riot_web_homepage_template_technical', 'new': '<removed>'}
    - {'old': 'matrix_riot_web_homepage_template_building', 'new': '<removed>'}
    - {'old': 'matrix_riot_web_homepage_template_contributing', 'new': '<removed>'}
+    - {'old': 'matrix_riot_web_container_expose_port', 'new': '<superseded by matrix_riot_web_container_http_host_bind_port>'}
--- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
+++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			--cap-drop=ALL \
 			--read-only \
 			--network={{ matrix_docker_network }} \
-			{% if matrix_riot_web_container_expose_port %}
-			-p 127.0.0.1:8765:8080 \
+			{% if matrix_riot_web_container_http_host_bind_port %}
+			-p {{ matrix_riot_web_container_http_host_bind_port }}:8080 \
 			{% endif %}
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
--- a/roles/matrix-riot-web/vars/main.yml
+++ b/roles/matrix-riot-web/vars/main.yml
@ -1,3 +1,3 @@
 ---

-matrix_riot_web_embedded_pages_home_url: "{{ (none if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}"
+matrix_riot_web_embedded_pages_home_url: "{{ ('' if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_synapse_enabled: true

-matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.5.1"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.5.2"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
@ -12,16 +12,32 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
 matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"

-# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
-matrix_synapse_container_expose_client_api_port: false
-
-# Controls whether the Synapse container exposes the Server/Server (Federation) API port (tcp/8048).
-# This is for the plain HTTP API. If you need Synapse to handle TLS encryption,
-# that would be on another port (tcp/8448) controlled by `matrix_synapse_tls_federation_listener_enabled`.
-matrix_synapse_container_expose_federation_api_port: false
-
-# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100).
-matrix_synapse_container_expose_metrics_port: false
+# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
+matrix_synapse_container_client_api_host_bind_port: ''
+
+# Controls whether the matrix-synapse container exposes the plain (unencrypted) Server/Server (Federation) API port (tcp/8048 in the container).
+#
+# Takes effect only if federation is enabled (matrix_synapse_federation_enabled).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
+matrix_synapse_container_federation_api_plain_host_bind_port: ''
+
+# Controls whether the matrix-synapse container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container).
+#
+# Takes effect only if federation is enabled (matrix_synapse_federation_enabled)
+# and TLS support is enabled (matrix_synapse_tls_federation_listener_enabled).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "8448"), or empty string to not expose.
+matrix_synapse_container_federation_api_tls_host_bind_port: ''
+
+# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100 in the container).
+#
+# Takes effect only if metrics are enabled (matrix_synapse_metrics_enabled).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
+matrix_synapse_container_metrics_api_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_synapse_container_extra_arguments: []
@ -154,6 +170,11 @@ matrix_synapse_federation_domain_whitelist: ~
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically based on Synapse extensions that have been enabled.
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
+#
+# Note: internally, this uses the `-v` flag for mounting the specified volumes.
+# It's better (safer) to use the `--mount` flag for mounting volumes.
+# To use `--mount`, specifiy it in `matrix_synapse_container_extra_arguments`.
+# Example: `matrix_synapse_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro']
 matrix_synapse_container_additional_volumes: []

 # A list of additional loggers to register in synapse.log.config.
@ -163,7 +184,7 @@ matrix_synapse_additional_loggers: []

 # A list of appservice config files (in-container filesystem paths).
 # This list gets populated dynamically based on Synapse extensions that have been enabled.
-# You may wish to use this together with `matrix_synapse_container_additional_volumes`.
+# You may wish to use this together with `matrix_synapse_container_additional_volumes` or `matrix_synapse_container_extra_arguments`.
 matrix_synapse_app_service_config_files: []

 # This is set dynamically during execution depending on whether
--- a/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml
@ -1,8 +1,6 @@
 - set_fact:
    matrix_synapse_password_providers_enabled: true
-  when: matrix_synapse_ext_password_provider_ldap_enabled|bool

- set_fact:
    matrix_synapse_additional_loggers: >
      {{ matrix_synapse_additional_loggers }}
      +
--- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
@ -17,13 +17,11 @@
 - set_fact:
    matrix_synapse_password_providers_enabled: true

- set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/rest_auth_provider.py,dst={{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py,ro"] }}

- set_fact:
    matrix_synapse_additional_loggers: >
      {{ matrix_synapse_additional_loggers }}
      +
--- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
@ -17,13 +17,11 @@
 - set_fact:
    matrix_synapse_password_providers_enabled: true

- set_fact:
-    matrix_synapse_container_additional_volumes: >
-      {{ matrix_synapse_container_additional_volumes }}
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
-      {{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py', 'options': 'ro'}] }}
+      {{ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/shared_secret_authenticator.py,dst={{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py,ro"] }}

- set_fact:
    matrix_synapse_additional_loggers: >
      {{ matrix_synapse_additional_loggers }}
      +
--- a/roles/matrix-synapse/tasks/validate_config.yml
+++ b/roles/matrix-synapse/tasks/validate_config.yml
@ -15,7 +15,7 @@
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
  with_items:
-    - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'}
+    - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
    - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
    - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}
    - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'}
@ -27,3 +27,6 @@
    - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': '<sleep_delay subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': '<reject_limit subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': '<concurrent subkey of matrix_synapse_rc_federation>'}
+    - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': '<superseded by matrix_synapse_container_client_api_host_bind_port>'}
+    - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
+    - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -893,7 +893,7 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}

 # A list of application service config files to use
 #
-app_service_config_files: {{ matrix_synapse_app_service_config_files }}
+app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }}

 # Uncomment to enable tracking of application service IP addresses. Implicitly
 # enables MAU tracking for application service users.
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -29,17 +29,17 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
-			{% if matrix_synapse_container_expose_client_api_port %}
-			-p 127.0.0.1:8008:8008 \
+			{% if matrix_synapse_container_client_api_host_bind_port %}
+			-p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \
 			{% endif %}
-			{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
-			-p 8448:8448 \
+			{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %}
+			-p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \
 			{% endif %}
-			{% if matrix_synapse_federation_enabled and matrix_synapse_container_expose_federation_api_port %}
-			-p 127.0.0.1:8048:8048 \
+			{% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %}
+			-p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \
 			{% endif %}
-			{% if matrix_synapse_container_expose_metrics_port %}
-			-p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \
+			{% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %}
+			-p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \
 			{% endif %}
 			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
 			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \