Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

5 years ago · 8a0c3146d3
parent 83e5cd7d6f 5421ce22bf
commit 8a0c3146d3
52 changed files with 846 additions and 239 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,38 @@
+# 2020-01-30
+
+## Disabling TLSv1.1
+
+To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration.
+
+If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"`
+
+
+# 2020-01-21
+
+## Postgres collation changes (action required!)
+
+By default, we've been using a UTF-8 collation for Postgres. This is known to cause Synapse some troubles (see the [relevant issue](https://github.com/matrix-org/synapse/issues/6722)) on systems that use [glibc](https://www.gnu.org/software/libc/). We run Postgres in an [Alpine Linux](https://alpinelinux.org/) container (which uses [musl](https://www.musl-libc.org/), and not glibc), so our users are likely not affected by the index corruption problem observed by others.
+
+Still, we might become affected in the future. In any case, it's imminent that Synapse will complain about databases which do not use a C collation.
+
+To avoid future problems, we recommend that you run the following command:
+
+```
+ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres --extra-vars='{"postgres_force_upgrade": true}'
+```
+
+It forces a [Postgres database upgrade](docs/maintenance-postgres.md#upgrading-postgresql), which would recreate your Postgres database using the proper (`C`) collation. If you are low on disk space, or run into trouble, refer to the Postgres database upgrade documentation page.
+
+
+# 2020-01-14
+
+## Added support for Appservice Webhooks
+
+Thanks to a contribution from [Björn Marten](https://github.com/tripleawwy) from [netresearch](https://www.netresearch.de/), the playbook can now install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. This bridge provides support for Slack-compatible webhooks.
+
+Learn more in [Setting up Appservice Webhooks](docs/configuring-playbook-bridge-appservice-webhooks.md).
+
+
 # 2020-01-12

 ## Added support for automatic Double Puppeting for all Mautrix bridges
--- a/README.md
+++ b/README.md
@ -44,12 +44,14 @@ Using this playbook, you can get the following services configured on your serve

 - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts)

- (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)
+- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)

 - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/)

 - (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/)

+- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.)
+
 - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms

 - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients
@ -132,12 +134,14 @@ This playbook sets up your server using the following Docker images:

 - [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional)

- [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)
+- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)

 - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional)

 - [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional)

+- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional)
+
 - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional)


--- a/docs/ansible.md
+++ b/docs/ansible.md
@ -9,9 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv

 ## Supported Ansible versions

-Ansible 2.5 or newer is required.
-
-If you're on Ansible 2.5.x, due to bugs in Ansible 2.5.0 and 2.5.1, at least Ansible 2.5.2 is required.
+Ansible 2.5.2 or newer is required.


 ## Checking your Ansible version
@ -28,7 +26,7 @@ If you're on an old version of Ansible, you should [upgrade Ansible to a newer v

 Depending on your distribution, you may be able to upgrade Ansible in a few different ways:

- by using an additional repository (PPA, etc.), which provides newer Ansible versions
+- by using an additional repository (PPA, etc.), which provides newer Ansible versions. See instructions for [CentOS](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-rhel-centos-or-fedora), [Debian](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian), or [Ubuntu](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu) on the Ansible website.

 - by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`).

--- a/docs/configuring-playbook-bridge-appservice-irc.md
+++ b/docs/configuring-playbook-bridge-appservice-irc.md
@ -1,8 +1,8 @@
 # Setting up Appservice IRC (optional)

-The playbook can install and configure [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) for you.
+The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you.

-See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you.
+See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you.

 You'll need to use the following playbook configuration:

--- a/docs/configuring-playbook-bridge-appservice-webhooks.md
+++ b/docs/configuring-playbook-bridge-appservice-webhooks.md
@ -0,0 +1,61 @@
+# Setting up Appservice Webhooks (optional)
+
+The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you.
+
+This bridge provides support for Slack-compatible webhooks.
+
+Setup Instructions:
+
+loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md)
+
+1. All you basically need is to adjust your `inventory/host_vars/matrix.<domain-name>/vars.yml`:
+
+```yaml
+matrix_appservice_webhooks_enabled: true
+matrix_appservice_webhooks_api_secret: '<your_secret>'
+```
+
+2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service`
+you can adjust this in `inventory/host_vars/matrix.<domain-name>/vars.yml` as well.
+
+*Note*: default value is: `info` and availabe log levels are : `info`, `verbose`
+
+```yaml
+matrix_appservice_webhooks_log_level: '<log_level>'
+```
+
+3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
+
+4. Invite the bridge bot user to your room:
+
+    - either with `/invite @_webhook:<domain.name>` (*Note*: Make sure you have administration permissions in your room)
+
+    - or simply add the bridge bot to a private channel (personal channels imply you being an administrator)
+
+5. Send a message to the bridge bot in order to receive a private message including the webhook link.
+```
+!webhook
+```
+
+6. The JSON body for posting messages will have to look like this:
+```json
+{
+    "text": "Hello world!",
+    "format": "plain",
+    "displayName": "My Cool Webhook",
+    "avatarUrl": "http://i.imgur.com/IDOBtEJ.png"
+}
+```
+
+You can test this via curl like so:
+
+```
+curl --header "Content-Type: application/json" \
+--data '{
+"text": "Hello world!",
+"format": "plain",
+"displayName": "My Cool Webhook",
+"avatarUrl": "http://i.imgur.com/IDOBtEJ.png"
+}' \
+<the link you've gotten in 5.>
+```
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of

 ```yaml
 # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
 ```


--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -93,4 +93,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (optional)

+- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional)
+
 - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
--- a/docs/installing.md
+++ b/docs/installing.md
@ -8,9 +8,11 @@ Run this as-is to set up a server:
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all
 ```

-This **doesn't start any services just yet** (another step does this later - below).
+**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands.

-Feel free to **re-run this any time** you think something is off with the server configuration.
+The above command **doesn't start any services just yet** (another step does this later - below).
+
+Feel free to **re-run this setup command any time** you think something is off with the server configuration.


 ## Things you might want to do after installing
--- a/docs/maintenance-postgres.md
+++ b/docs/maintenance-postgres.md
@ -42,7 +42,7 @@ docker run \
 --rm \
 --network=matrix \
 --env-file=/matrix/postgres/env-postgres-psql \
-postgres:12.0-alpine \
+postgres:12.1-alpine \
 pg_dumpall -h matrix-postgres \
 | gzip -c \
 > /postgres.sql.gz
--- a/docs/registering-users.md
+++ b/docs/registering-users.md
@ -24,11 +24,14 @@ If you've just installed Matrix, **to finalize the installation process**, it's

 -----

-The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges:
+
+## Adding/Removing Administrator privileges to an existing user.  
+
+The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges.

 * log on to your server with ssh
-* execute with the username:
+* execute with the username and 0/1 (0 = non-admin | 1 = admin)

 ```
-/usr/local/bin/matrix-make-user-admin <username>
+/usr/local/bin/matrix-change-user-admin-status <username> <0/1>
 ```
--- a/docs/updating-users-passwords.md
+++ b/docs/updating-users-passwords.md
@ -34,7 +34,9 @@ where `<password-hash>` is the hash returned by the docker command above.

 Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password

-This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not.
+This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* 
+
+If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). 

 ### Example:
 To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command:
--- a/examples/apache/matrix-dimension.conf
+++ b/examples/apache/matrix-dimension.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-riot-web.conf
+++ b/examples/apache/matrix-riot-web.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
@ -103,7 +103,7 @@ Listen 8448
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -60,6 +60,40 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k
 ######################################################################


+######################################################################
+#
+# matrix-appservice-webhooks
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_appservice_webhooks_enabled: false
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# matrix-appservice-webhooks' client-server port to the local host.
+matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}"
+
+matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
+
+matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
+
+matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
+
+matrix_appservice_webhooks_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+  }}
+
+######################################################################
+#
+# /matrix-appservice-webhooks
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-appservice-slack
@ -74,11 +108,11 @@ matrix_appservice_slack_enabled: false
 # matrix-appservice-slack's client-server port to the local host.
 matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}"

-matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-appservice-token') | to_uuid }}"
+matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"

-matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-homeserver-token') | to_uuid }}"
+matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}"

-matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-id-token') | to_uuid }}"
+matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}"

 matrix_appservice_slack_systemd_required_services_list: |
  {{
@ -604,7 +638,6 @@ matrix_synapse_email_smtp_host: "matrix-mailer"
 matrix_synapse_email_smtp_port: 8025
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
-matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"

 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
--- a/roles/matrix-base/tasks/server_base/setup_debian.yml
+++ b/roles/matrix-base/tasks/server_base/setup_debian.yml
@ -28,7 +28,7 @@
  apt:
    name:
      - bash-completion
-      - python-docker
+      - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
      - ntp
      - fuse
    state: latest
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_appservice_irc_enabled: true

-matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
+matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
@ -377,11 +377,6 @@ matrix_appservice_irc_configuration_yaml: |
    enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}

  ircService:
-    # The nedb database URI to connect to. This is the name of the directory to
-    # dump .db files to. This is relative to the project directory.
-    # Required.
-    databaseUri: "nedb:///data"
-
    # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
    # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
    # the database.
@ -474,6 +469,15 @@ matrix_appservice_irc_configuration_yaml: |
    # enough for the vast majority of use cases.
    maxHttpSockets: 1000

+  # Use an external database to store bridge state.
+  database:
+    # database engine (must be 'postgres' or 'nedb'). Default: nedb
+    engine: "nedb"
+    # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
+    # For postgres, it must start with postgres://
+    # For NeDB, it must start with nedb://. The path is relative to the project directory.
+    connectionString: "nedb:///data"
+
 matrix_appservice_irc_configuration_extension_yaml: |
  # Your custom YAML configuration for Appservice IRC servers goes here.
  # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`).
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@ -98,13 +98,15 @@
    --cap-drop=ALL
    -v {{ matrix_appservice_irc_config_path }}:/config:z
    -v {{ matrix_appservice_irc_data_path }}:/data:z
+    --entrypoint=/bin/bash
    {{ matrix_appservice_irc_docker_image }}
-    node app.js
+    -c
+    'node app.js
    -r
    -f /config/registration-template.yaml
    -u "http://matrix-appservice-irc:9999"
    -c /config/config.yaml
-    -l irc_bot
+    -l irc_bot'
  changed_when: false

 - name: Read Appservice IRC registration-template.yaml
--- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@ -30,8 +30,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
+			--entrypoint=/bin/bash \
 			{{ matrix_appservice_irc_docker_image }} \
-			-c /config/config.yaml -f /config/registration.yaml -p 9999
+			-c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999'

 ExecStop=-/usr/bin/docker kill matrix-appservice-irc
 ExecStop=-/usr/bin/docker rm matrix-appservice-irc
--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_appservice_slack_enabled: true

-matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.0.2"
+matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

 matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
@ -51,24 +51,6 @@ matrix_appservice_slack_configuration_yaml: |
    bot_username: "{{ matrix_appservice_slack_bot_name }}"
    username_prefix: {{ matrix_appservice_slack_user_prefix }}

-    # Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise.
-    rtm:
-      # Use the RTM API to listen for requests, which does not require
-      # the bridge to listen on the hook port.
-      # You should leave this enabled, unless you plan to use the
-      # bridge exclusively for webhooks.
-      enable: true
-      logging: "silent" # Logging level specific to RTM traffic.
-      # A prefix similar to inbound_uri_prefix for oauth2 requests. inbound_uri_prefix will be used if this is not set
-      # Optional
-      # redirect_prefix: "https://my.server.here:9898/mycustomoauthendpoint"
-
-    # Allow users to add channels dynamically by using oauth, or puppet themselves.
-    # Optional
-    oauth2:
-      client_id: ""
-      client_secret: ""
-
    homeserver:
        media_url: "{{ matrix_appservice_slack_homeserver_media_url }}"
        url: "{{ matrix_appservice_slack_homeserver_url }}"
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@ -0,0 +1,105 @@
+# matrix-appservice-webhooks is a Matrix <-> webhook bridge
+# See: https://github.com/turt2live/matrix-appservice-webhooks
+
+matrix_appservice_webhooks_enabled: true
+
+matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest"
+matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
+
+matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
+matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
+matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
+
+# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
+matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
+matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"
+
+# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
+matrix_appservice_webhooks_control_room_id: ''
+matrix_appservice_webhooks_bot_name: 'webhookbot'
+matrix_appservice_webhooks_user_prefix: '_webhook'
+
+# Controls the webhooks_PORT and MATRIX_PORT of the installation
+matrix_appservice_webhooks_matrix_port: 6789
+matrix_appservice_webhooks_webhooks_port: 6788
+
+# Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
+matrix_appservice_webhooks_container_http_host_bind_port: ''
+
+matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}"
+matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008"
+matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}"
+matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks'
+
+# A list of extra arguments to pass to the container
+matrix_appservice_webhooks_container_extra_arguments: []
+
+# List of systemd services that matrix-appservice-webhooks.service depends on.
+matrix_appservice_webhooks_systemd_required_services_list: ['docker.service', 'matrix-synapse.service']
+
+# List of systemd services that matrix-appservice-webhooks.service wants
+matrix_appservice_webhooks_systemd_wanted_services_list: []
+
+matrix_appservice_webhooks_appservice_token: ''
+matrix_appservice_webhooks_homeserver_token: ''
+matrix_appservice_webhooks_id_token: ''
+matrix_appservice_webhooks_api_secret: ''
+
+# Logging information (info and verbose is available) default is: info
+matrix_appservice_webhooks_log_level: 'info'
+
+matrix_appservice_webhooks_configuration_yaml: |
+
+  # Configuration specific to the application service. All fields (unless otherwise marked) are required.
+  homeserver:
+    # The domain for the client-server API calls.
+    url: "{{ matrix_appservice_webhooks_homeserver_url }}"
+
+    # The domain part for user IDs on this home server. Usually, but not always, this is the same as the
+    # home server's URL.
+    domain: "{{ matrix_domain }}"
+
+  # Configuration specific to the bridge. All fields (unless otherwise marked) are required.
+  webhookBot:
+    # The localpart to use for the bot. May require re-registering the application service.
+    localpart: "_webhook"
+
+  # Provisioning API options
+  provisioning:
+    # Your secret for the API. Required for all provisioning API requests.
+    secret: '{{ matrix_appservice_webhooks_api_secret }}'
+
+  # Configuration related to the web portion of the bridge. Handles the inbound webhooks
+  web:
+    hookUrlBase:  "{{ matrix_appservice_webhooks_inbound_uri_prefix }}"
+
+  logging:
+    console: true
+    consoleLevel: {{ matrix_appservice_webhooks_log_level }}
+    writeFiles: false
+
+matrix_appservice_webhooks_configuration_extension_yaml: |
+  #
+
+matrix_appservice_webhooks_configuration_extension: "{{ matrix_appservice_webhooks_configuration_extension_yaml|from_yaml if matrix_appservice_webhooks_configuration_extension_yaml|from_yaml else {} }}"
+
+matrix_appservice_webhooks_configuration: "{{ matrix_appservice_webhooks_configuration_yaml|from_yaml|combine(matrix_appservice_webhooks_configuration_extension, recursive=True) }}"
+
+matrix_appservice_webhooks_registration_yaml: |
+  id: "{{ matrix_appservice_webhooks_id_token }}"
+  hs_token: "{{ matrix_appservice_webhooks_homeserver_token }}"
+  as_token: "{{ matrix_appservice_webhooks_appservice_token }}"
+  namespaces:
+    users:
+      - exclusive: true
+        regex: '^@{{ matrix_appservice_webhooks_user_prefix | regex_escape }}.*:{{ matrix_domain | regex_escape }}$'
+    aliases: []
+    rooms: []
+  url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}"
+  sender_localpart: _webhook
+  rate_limited: false
+  protocols: null
+
+matrix_appservice_webhooks_registration: "{{ matrix_appservice_webhooks_registration_yaml|from_yaml }}"
--- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
@ -0,0 +1,78 @@
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
+  when: matrix_appservice_webhooks_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-appservice-webhooks-registration.yaml"] }}
+  when: matrix_appservice_webhooks_enabled|bool
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- block:
+  - name: Fail if matrix-nginx-proxy role already executed
+    fail:
+      msg: >-
+        Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy,
+        but it's pointless since the matrix-nginx-proxy role had already executed.
+        To fix this, please change the order of roles in your plabook,
+        so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role.
+    when: matrix_nginx_proxy_role_executed|default(False)|bool
+
+  - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy
+    set_fact:
+      matrix_appservice_webhooks_matrix_nginx_proxy_configuration: |
+        location {{ matrix_appservice_webhooks_public_endpoint }}/ {
+        {% if matrix_nginx_proxy_enabled|default(False) %}
+        {# Use the embedded DNS resolver in Docker containers to discover the service #}
+          resolver 127.0.0.11 valid=5s;
+          proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/;
+        {% else %}
+          {# Generic configuration for use outside of our container setup #}
+          proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/;
+        {% endif %}
+        }
+
+  - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy
+    set_fact:
+      matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+        {{
+          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+          +
+          [matrix_appservice_webhooks_matrix_nginx_proxy_configuration]
+        }}
+  tags:
+   - always
+  when: matrix_appservice_webhooks_enabled|bool
+
+- name: Warn about reverse-proxying if matrix-nginx-proxy not used
+  debug:
+    msg: >-
+      NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy
+      reverse proxy.
+      Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}`
+      URL endpoint to the matrix-appservice-webhooks container.
+      You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable.
+  when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined"
--- a/roles/matrix-bridge-appservice-webhooks/tasks/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/main.yml
@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks
--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
@ -0,0 +1,64 @@
+---
+
+- name: Ensure Appservice webhooks image is pulled
+  docker_image:
+    name: "{{ matrix_appservice_webhooks_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
+
+- name: Ensure AppService webhooks paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_appservice_webhooks_base_path }}"
+    - "{{ matrix_appservice_webhooks_config_path }}"
+    - "{{ matrix_appservice_webhooks_data_path }}"
+
+- name: Ensure Matrix Appservice webhooks config is installed
+  copy:
+    content: "{{ matrix_appservice_webhooks_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure Matrix Appservice webhooks schema.yml template exists
+  template:
+    src: "{{ role_path }}/templates/schema.yml.j2"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure Matrix Appservice webhooks database.json template exists
+  template:
+    src: "{{ role_path }}/templates/database.json.j2"
+    dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure appservice-webhooks registration.yaml installed
+  copy:
+    content: "{{ matrix_appservice_webhooks_registration|to_nice_yaml }}"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure matrix-appservice-webhooks.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2"
+    dest: "/etc/systemd/system/matrix-appservice-webhooks.service"
+    mode: 0644
+  register: matrix_appservice_webhooks_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_systemd_service_result.changed"
--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml
@ -0,0 +1,24 @@
+---
+
+- name: Check existence of matrix-appservice-webhooks service
+  stat:
+    path: "/etc/systemd/system/matrix-appservice-webhooks.service"
+  register: matrix_appservice_webhooks_service_stat
+
+- name: Ensure matrix-appservice-webhooks is stopped
+  service:
+    name: matrix-appservice-webhooks
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"
+
+- name: Ensure matrix-appservice-webhooks.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-appservice-webhooks.service"
+    state: absent
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"
--- a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml
@ -0,0 +1,12 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_appservice_webhooks_appservice_token"
+    - "matrix_appservice_webhooks_homeserver_token"
+    - "matrix_appservice_webhooks_id_token"
+    - "matrix_appservice_webhooks_api_secret"
--- a/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2
@ -0,0 +1,13 @@
+{
+  "defaultEnv": {
+    "ENV": "NODE_ENV"
+  },
+  "development": {
+    "driver": "sqlite3",
+    "filename": "/data/development.db"
+  },
+  "production": {
+    "driver": "sqlite3",
+    "filename": "/data/production.db"
+  }
+}
--- a/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2
@ -0,0 +1,54 @@
+"$schema": "http://json-schema.org/draft-04/schema#"
+type: "object"
+properties:
+  provisioning:
+    type: "object"
+    properties:
+      secret:
+        type: "string"
+  homeserver:
+    type: "object"
+    properties:
+      domain:
+        type: "string"
+      url:
+        type: "string"
+      mediaUrl:
+        type: "string"
+  web:
+    type: "object"
+    properties:
+      hookUrlBase:
+        type: "string"
+  webhookBot:
+    type: "object"
+    properties:
+      localpart:
+        type: "string"
+      appearance:
+        type: "object"
+        properties:
+          displayName:
+            type: "string"
+          avatarUrl:
+            type: "string"
+  logging:
+    type: "object"
+    properties:
+      file:
+        type: "string"
+      console:
+        type: "boolean"
+      consoleLevel:
+        type: "string"
+      fileLevel:
+        type: "string"
+      writeFiles:
+        type: "boolean"
+      rotate:
+        type: "object"
+        properties:
+          size:
+            type: "number"
+          count:
+            type: "number"
--- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
@ -0,0 +1,43 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Appservice webhooks server
+{% for service in matrix_appservice_webhooks_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_appservice_webhooks_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks
+ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre=/bin/sleep 5
+
+ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_appservice_webhooks_container_http_host_bind_port %}
+			-p {{ matrix_appservice_webhooks_container_http_host_bind_port }}:{{matrix_appservice_webhooks_matrix_port}} \
+			{% endif %}
+			-v {{ matrix_appservice_webhooks_config_path }}:/config:z \
+			-v {{ matrix_appservice_webhooks_data_path }}:/data:z \
+			{% for arg in matrix_appservice_webhooks_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_appservice_webhooks_docker_image }} \
+			node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml
+
+ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks
+ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-appservice-webhooks
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -4,7 +4,7 @@
 matrix_mautrix_telegram_enabled: true

 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
-matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.1"
+matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
--- a/roles/matrix-corporal/tasks/self_check_corporal.yml
+++ b/roles/matrix-corporal/tasks/self_check_corporal.yml
@ -6,7 +6,7 @@
 - name: Check Matrix Corporal HTTP gateway
  uri:
    url: "{{ corporal_client_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
    return_content: true
  register: result_corporal_client_api
  ignore_errors: true
--- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml
+++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml
@ -6,7 +6,7 @@
 - name: Check mxisd Identity Service
  uri:
    url: "{{ mxisd_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
    validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}"
  register: result_mxisd
  ignore_errors: true
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -152,15 +152,27 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"

-# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
+# A list of strings containing additional configuration blocks to add to the nginx http's server configuration.
+matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration.
 matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

+# A list of strings containing additional configuration blocks to add to the matrix riot's server configuration.
+matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration.
+matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix domain server configuration.
+matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
+
 # Specifies when to reload the matrix-nginx-proxy service so that
 # a new SSL certificate could go into effect.
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

 # Specifies which SSL protocols to use when serving Riot and Synapse
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"

 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true
--- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
+++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
@ -6,7 +6,7 @@
      - path: /.well-known/matrix/client
        purpose: Client Discovery
        cors: true
-        follow_redirects: false
+        follow_redirects: none
        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"

 - block:
@ -15,7 +15,7 @@
          path: /.well-known/matrix/server
          purpose: Server Discovery
          cors: false
-          follow_redirects: true
+          follow_redirects: safe
          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"

    - name: Determine domains that we require certificates for (mxisd)
--- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
+++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
@ -9,7 +9,7 @@
 - name: Check .well-known on the matrix hostname
  uri:
    url: "{{ well_known_url_matrix }}"
-    follow_redirects: false
+    follow_redirects: none
    return_content: true
    validate_certs: "{{ well_known_file_check.validate_certs }}"
  register: result_well_known_matrix
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@ -3,6 +3,9 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}

 	location / {
 		{% if matrix_nginx_proxy_enabled %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -5,6 +5,9 @@

 	gzip on;
 	gzip_types text/plain application/json;
+	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
+		{{- configuration_block }}
+	{% endfor %}

 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@ -3,6 +3,9 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
+		{{- configuration_block }}
+	{% endfor %}

 	location / {
 		{% if matrix_nginx_proxy_enabled %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
@ -4,3 +4,6 @@
 #
 # Thus, we ensure a larger bucket size value is used.
 server_names_hash_bucket_size 64;
+{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}
--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@ -73,13 +73,19 @@
    mode: 0750
  when: matrix_postgres_enabled|bool

- name: Ensure matrix-make-user-admin script created
+- name: Ensure matrix-change-user-admin-status script created
  template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
-    dest: "/usr/local/bin/matrix-make-user-admin"
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2"
+    dest: "/usr/local/bin/matrix-change-user-admin-status"
    mode: 0750
  when: matrix_postgres_enabled|bool

+- name: (Migration) Ensure old matrix-make-user-admin script deleted
+  file:
+    path: "/usr/local/bin/matrix-make-user-admin"
+    state: absent
+  when: matrix_postgres_enabled|bool
+
 - name: Ensure matrix-postgres-update-user-password-hash script created
  template:
    src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
@ -146,6 +152,6 @@
    state: absent
  with_items:
    - matrix-postgres-cli
-    - matrix-make-user-admin
+    - matrix-change-user-admin-status
    - matrix-postgres-update-user-password-hash
  when: "not matrix_postgres_enabled|bool"
--- a/roles/matrix-postgres/tasks/upgrade_postgres.yml
+++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml
@ -20,6 +20,11 @@
    postgres_start_wait_time: 15
  when: "postgres_start_wait_time|default('') == ''"

+- name: Set postgres_force_upgrade, if not provided
+  set_fact:
+    postgres_force_upgrade: false
+  when: "postgres_force_upgrade|default('') == ''"
+
 - name: Fail, if trying to upgrade external Postgres database
  fail:
    msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
@ -45,7 +50,7 @@
 - name: Abort, if already at latest Postgres version
  fail:
    msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do"
-  when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest"
+  when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade"

 - debug:
    msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}"
--- a/roles/matrix-postgres/templates/env-postgres-server.j2
+++ b/roles/matrix-postgres/templates/env-postgres-server.j2
@ -2,3 +2,6 @@
 POSTGRES_USER={{ matrix_postgres_connection_username }}
 POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
 POSTGRES_DB={{ matrix_postgres_db_name }}
+# Synapse refuses to run if collation is not C.
+# See https://github.com/matrix-org/synapse/issues/6722
+POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2
@ -0,0 +1,19 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <0/1>"
+	echo "Usage: 0 = non-admin"
+	echo "Usage: 1 = admin"
+	exit 1
+fi
+
+docker run \
+	-it \
+	--rm \
+	--user=991:991 \
+	--cap-drop=ALL \
+	--env-file=/matrix/postgres/env-postgres-psql \
+	--network matrix \
+	postgres:12.1-alpine \
+	psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'"
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
@ -1,17 +0,0 @@
-#jinja2: lstrip_blocks: "True"
-#!/bin/bash
-
-if [ $# -ne 1 ]; then
-	echo "Usage: "$0" <username>"
-	exit 1
-fi
-
-docker run \
-	-it \
-	--rm \
-	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-    --cap-drop=ALL \
-	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-	--network {{ matrix_docker_network }} \
-	{{ matrix_postgres_docker_image_to_use }} \
-	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'"
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@ -1,6 +1,6 @@
 matrix_riot_web_enabled: true

-matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.7"
+matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.8"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
--- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml
+++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml
@ -6,7 +6,7 @@
 - name: Check riot-web
  uri:
    url: "{{ riot_web_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
    validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}"
  register: result_riot_web
  ignore_errors: true
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_synapse_enabled: true

-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.8.0"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -259,13 +259,13 @@ matrix_synapse_email_smtp_host: ""
 matrix_synapse_email_smtp_port: 587
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <matrix@{{ matrix_domain }}>"
-matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
+matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}"


 # Enable this to activate the REST auth password provider module.
-# See: https://github.com/kamax-io/matrix-synapse-rest-auth
+# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
 matrix_synapse_ext_password_provider_rest_auth_enabled: false
-matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py"
+matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py"
 matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
 matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
 matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
--- a/roles/matrix-synapse/tasks/self_check_client_api.yml
+++ b/roles/matrix-synapse/tasks/self_check_client_api.yml
@ -3,7 +3,7 @@
 - name: Check Matrix Client API
  uri:
    url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
    validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
  register: result_matrix_synapse_client_api
  ignore_errors: true
--- a/roles/matrix-synapse/tasks/self_check_federation_api.yml
+++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml
@ -3,7 +3,7 @@
 - name: Check Matrix Federation API
  uri:
    url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
    validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
  register: result_matrix_synapse_federation_api
  ignore_errors: true
--- a/roles/matrix-synapse/tasks/validate_config.yml
+++ b/roles/matrix-synapse/tasks/validate_config.yml
@ -15,6 +15,7 @@
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
  with_items:
+    - {'old': 'matrix_synapse_email_riot_base_url', 'new': '<superseded by client_base_url>'}
    - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
    - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
    - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -392,17 +392,17 @@ retention:
  #
  # The rationale for this per-job configuration is that some rooms might have a
  # retention policy with a low 'max_lifetime', where history needs to be purged
-  # of outdated messages on a very frequent basis (e.g. every 5min), but not want
-  # that purge to be performed by a job that's iterating over every room it knows,
-  # which would be quite heavy on the server.
+  # of outdated messages on a more frequent basis than for the rest of the rooms
+  # (e.g. every 12h), but not want that purge to be performed by a job that's
+  # iterating over every room it knows, which could be heavy on the server.
  #
  #purge_jobs:
  #  - shortest_max_lifetime: 1d
  #    longest_max_lifetime: 3d
-  #    interval: 5m:
+  #    interval: 12h
  #  - shortest_max_lifetime: 3d
  #    longest_max_lifetime: 1y
-  #    interval: 24h
+  #    interval: 1d


 ## TLS ##
@ -891,23 +891,6 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # Optional account validity configuration. This allows for accounts to be denied
 # any request after a given period.
 #
-# ``enabled`` defines whether the account validity feature is enabled. Defaults
-# to False.
-#
-# ``period`` allows setting the period after which an account is valid
-# after its registration. When renewing the account, its validity period
-# will be extended by this amount of time. This parameter is required when using
-# the account validity feature.
-#
-# ``renew_at`` is the amount of time before an account's expiry date at which
-# Synapse will send an email to the account's email address with a renewal link.
-# This needs the ``email`` and ``public_baseurl`` configuration sections to be
-# filled.
-#
-# ``renew_email_subject`` is the subject of the email sent out with the renewal
-# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter
-# from the ``email`` section.
-#
 # Once this feature is enabled, Synapse will look for registered users without an
 # expiration date at startup and will add one to every account it found using the
 # current settings at that time.
@ -918,32 +901,55 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # date will be randomly selected within a range [now + period - d ; now + period],
 # where d is equal to 10% of the validity period.
 #
-#account_validity:
-#  enabled: True
-#  period: 6w
-#  renew_at: 1w
-#  renew_email_subject: "Renew your %(app)s account"
-#  # Directory in which Synapse will try to find the HTML files to serve to the
-#  # user when trying to renew an account. Optional, defaults to
-#  # synapse/res/templates.
-#  template_dir: "res/templates"
-#  # HTML to be displayed to the user after they successfully renewed their
-#  # account. Optional.
-#  account_renewed_html_path: "account_renewed.html"
-#  # HTML to be displayed when the user tries to renew an account with an invalid
-#  # renewal token. Optional.
-#  invalid_token_html_path: "invalid_token.html"
+account_validity:
+  # The account validity feature is disabled by default. Uncomment the
+  # following line to enable it.
+  #
+  #enabled: true

-# Time that a user's session remains valid for, after they log in.
-#
-# Note that this is not currently compatible with guest logins.
-#
-# Note also that this is calculated at login time: changes are not applied
-# retrospectively to users who have already logged in.
-#
-# By default, this is infinite.
-#
-#session_lifetime: 24h
+  # The period after which an account is valid after its registration. When
+  # renewing the account, its validity period will be extended by this amount
+  # of time. This parameter is required when using the account validity
+  # feature.
+  #
+  #period: 6w
+
+  # The amount of time before an account's expiry date at which Synapse will
+  # send an email to the account's email address with a renewal link. By
+  # default, no such emails are sent.
+  #
+  # If you enable this setting, you will also need to fill out the 'email' and
+  # 'public_baseurl' configuration sections.
+  #
+  #renew_at: 1w
+
+  # The subject of the email sent out with the renewal link. '%(app)s' can be
+  # used as a placeholder for the 'app_name' parameter from the 'email'
+  # section.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  # If this is not set, a default value is used.
+  #
+  #renew_email_subject: "Renew your %(app)s account"
+
+  # Directory in which Synapse will try to find templates for the HTML files to
+  # serve to the user when trying to renew an account. If not set, default
+  # templates from within the Synapse package will be used.
+  #
+  #template_dir: "res/templates"
+
+  # File within 'template_dir' giving the HTML to be displayed to the user after
+  # they successfully renewed their account. If not set, default text is used.
+  #
+  #account_renewed_html_path: "account_renewed.html"
+
+  # File within 'template_dir' giving the HTML to be displayed when the user
+  # tries to renew an account with an invalid renewal token. If not set,
+  # default text is used.
+  #
+  #invalid_token_html_path: "invalid_token.html"

 # The user must provide all of the below types of 3PID when registering.
 #
@ -1378,107 +1384,123 @@ password_config:
   pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}


-
-# Enable sending emails for password resets, notification events or
-# account expiry notices
-#
-# If your SMTP server requires authentication, the optional smtp_user &
-# smtp_pass variables should be used
-#
-#email:
-#   enable_notifs: false
-#   smtp_host: "localhost"
-#   smtp_port: 25 # SSL: 465, STARTTLS: 587
-#   smtp_user: "exampleusername"
-#   smtp_pass: "examplepassword"
-#   require_transport_security: False
-#   notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
-#   app_name: Matrix
-#
-#   # Enable email notifications by default
-#   #
-#   notif_for_new_users: True
-#
-#   # Defining a custom URL for Riot is only needed if email notifications
-#   # should contain links to a self-hosted installation of Riot; when set
-#   # the "app_name" setting is ignored
-#   #
-#   riot_base_url: "http://localhost/riot"
-#
-#   # Configure the time that a validation email or text message code
-#   # will expire after sending
-#   #
-#   # This is currently used for password resets
-#   #
-#   #validation_token_lifetime: 1h
-#
-#   # Template directory. All template files should be stored within this
-#   # directory. If not set, default templates from within the Synapse
-#   # package will be used
-#   #
-#   # For the list of default templates, please see
-#   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
-#   #
-#   #template_dir: res/templates
-#
-#   # Templates for email notifications
-#   #
-#   notif_template_html: notif_mail.html
-#   notif_template_text: notif_mail.txt
-#
-#   # Templates for account expiry notices
-#   #
-#   expiry_template_html: notice_expiry.html
-#   expiry_template_text: notice_expiry.txt
-#
-#   # Templates for password reset emails sent by the homeserver
-#   #
-#   #password_reset_template_html: password_reset.html
-#   #password_reset_template_text: password_reset.txt
-#
-#   # Templates for registration emails sent by the homeserver
-#   #
-#   #registration_template_html: registration.html
-#   #registration_template_text: registration.txt
-#
-#   # Templates for validation emails sent by the homeserver when adding an email to
-#   # your user account
-#   #
-#   #add_threepid_template_html: add_threepid.html
-#   #add_threepid_template_text: add_threepid.txt
-#
-#   # Templates for password reset success and failure pages that a user
-#   # will see after attempting to reset their password
-#   #
-#   #password_reset_template_success_html: password_reset_success.html
-#   #password_reset_template_failure_html: password_reset_failure.html
-#
-#   # Templates for registration success and failure pages that a user
-#   # will see after attempting to register using an email or phone
-#   #
-#   #registration_template_success_html: registration_success.html
-#   #registration_template_failure_html: registration_failure.html
-#
-#   # Templates for success and failure pages that a user will see after attempting
-#   # to add an email or phone to their account
-#   #
-#   #add_threepid_success_html: add_threepid_success.html
-#   #add_threepid_failure_html: add_threepid_failure.html
 {% if matrix_synapse_email_enabled %}
+# Configuration for sending emails from Synapse.
+#
 email:
-   enable_notifs: true
-   smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
-   smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
-   require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
-   notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
-   app_name: Matrix
-   notif_template_html: notif_mail.html
-   notif_template_text: notif_mail.txt
-   # Templates for account expiry notices.
-   expiry_template_html: notice_expiry.html
-   expiry_template_text: notice_expiry.txt
-   notif_for_new_users: True
-   riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }}
+  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
+  #
+  #smtp_host: mail.server
+  smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
+
+  # The port on the mail server for outgoing SMTP. Defaults to 25.
+  #
+  #smtp_port: 587
+  smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
+
+  # Username/password for authentication to the SMTP server. By default, no
+  # authentication is attempted.
+  #
+  # smtp_user: "exampleusername"
+  # smtp_pass: "examplepassword"
+
+  # Uncomment the following to require TLS transport security for SMTP.
+  # By default, Synapse will connect over plain text, and will then switch to
+  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
+  # Synapse will refuse to connect unless the server supports STARTTLS.
+  #
+  #require_transport_security: true
+  require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
+
+  # Enable sending emails for messages that the user has missed
+  #
+  #enable_notifs: false
+  enable_notifs: true
+
+  # notif_from defines the "From" address to use when sending emails.
+  # It must be set if email sending is enabled.
+  #
+  # The placeholder '%(app)s' will be replaced by the application name,
+  # which is normally 'app_name' (below), but may be overridden by the
+  # Matrix client application.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
+  notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
+
+  # app_name defines the default value for '%(app)s' in notif_from. It
+  # defaults to 'Matrix'.
+  #
+  #app_name: my_branded_matrix_server
+  app_name: Matrix
+
+  # Uncomment the following to disable automatic subscription to email
+  # notifications for new users. Enabled by default.
+  #
+  #notif_for_new_users: false
+  notif_for_new_users: True
+
+  # Custom URL for client links within the email notifications. By default
+  # links will be based on "https://matrix.to".
+  #
+  # (This setting used to be called riot_base_url; the old name is still
+  # supported for backwards-compatibility but is now deprecated.)
+  #
+  #client_base_url: "http://localhost/riot"
+  client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }}
+
+  # Configure the time that a validation email will expire after sending.
+  # Defaults to 1h.
+  #
+  #validation_token_lifetime: 15m
+
+  # Directory in which Synapse will try to find the template files below.
+  # If not set, default templates from within the Synapse package will be used.
+  #
+  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  # If you *do* uncomment it, you will need to make sure that all the templates
+  # below are in the directory.
+  #
+  # Synapse will look for the following templates in this directory:
+  #
+  # * The contents of email notifications of missed events: 'notif_mail.html' and
+  #   'notif_mail.txt'.
+  #
+  # * The contents of account expiry notice emails: 'notice_expiry.html' and
+  #   'notice_expiry.txt'.
+  #
+  # * The contents of password reset emails sent by the homeserver:
+  #   'password_reset.html' and 'password_reset.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in the password reset email: 'password_reset_success.html' and
+  #   'password_reset_failure.html'
+  #
+  # * The contents of address verification emails sent during registration:
+  #   'registration.html' and 'registration.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in an address verification email sent during registration:
+  #   'registration_success.html' and 'registration_failure.html'
+  #
+  # * The contents of address verification emails sent when an address is added
+  #   to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in an address verification email sent when an address is added
+  #   to a Matrix account: 'add_threepid_success.html' and
+  #   'add_threepid_failure.html'
+  #
+  # You can see the default templates at:
+  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
+  #
+  #template_dir: "res/templates"
+  notif_template_html: notif_mail.html
+  notif_template_text: notif_mail.txt
+  expiry_template_html: notice_expiry.html
+  expiry_template_text: notice_expiry.txt
 {% endif %}


--- a/setup.yml
+++ b/setup.yml
@ -10,6 +10,7 @@
    - matrix-corporal
    - matrix-bridge-appservice-discord
    - matrix-bridge-appservice-slack
+    - matrix-bridge-appservice-webhooks
    - matrix-bridge-appservice-irc
    - matrix-bridge-mautrix-facebook
    - matrix-bridge-mautrix-hangouts