Merge remote-tracking branch 'master' into feature/add-worker-support

4 years ago · 93a8ea7e4a
parent fc2edcbecf 898f319e11
commit 93a8ea7e4a
30 changed files with 281 additions and 82 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@
 !/inventory/host_vars/.gitkeep
 !/inventory/scripts
 /roles/*/files/scratchpad
+.DS_Store
+.python-version
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,22 @@
+# 2020-10-02
+
+## Minimum Ansible version raised to v2.7.0
+
+We were claiming to support [Ansible](https://www.ansible.com/) v2.5.2 and higher, but issues like [#662](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/662) demonstrate that we need at least v2.7.0.
+
+If you've been using the playbook without getting any errors until now, you're probably on a version higher than that already (or you're not using the `matrix-ma1sd` and `matrix-client-element` roles).
+
+Our [Ansible docs page](docs/ansible.md) contains information on how to run a more up-to-date version of Ansible.
+
+
+# 2020-10-01
+
+## Postgres 13 support
+
+The playbook now installs [Postgres 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) by default.
+
+If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x, 11.x or 12.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql).
+
 # 2020-09-01

 ## matrix-registration support
--- a/README.md
+++ b/README.md
@ -56,7 +56,7 @@ Using this playbook, you can get the following services configured on your serve

 - (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation

- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation
+- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation

 - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation

--- a/docs/ansible.md
+++ b/docs/ansible.md
@ -9,7 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv

 ## Supported Ansible versions

-Ansible 2.5.2 or newer is required.
+Ansible 2.7.0 or newer is required.


 ## Checking your Ansible version
@ -49,7 +49,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-devture/ansible:2.9.9-r0
+devture/ansible:2.9.13-r0
 ```

 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -38,6 +38,7 @@ Follow our [Registering users](registering-users.md) guide to learn how to regis

 You are required to specify an access token (belonging to this new user) for Dimension to work.
 To get an access token for the Dimension user, you can follow one of two options:
+
 *Through an interactive login*:

 1. In a private browsing session (incognito window), open Element.
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -56,11 +56,19 @@ The default authentication mode of Jitsi is `internal`, however LDAP is also sup
 ```yaml
 matrix_jitsi_enable_auth: true
 matrix_jitsi_auth_type: ldap
-matrix_jitsi_ldap_url: ldap://ldap.DOMAIN  # or ldaps:// if using tls
-matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
-matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
-matrix_jitsi_ldap_use_tls: false
-matrix_jitsi_ldap_start_tls: true
+matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
+matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN
+#matrix_jitsi_ldap_binddn: ""
+#matrix_jitsi_ldap_bindpw: ""
+matrix_jitsi_ldap_filter: "uid=%u"
+matrix_jitsi_ldap_auth_method: "bind"
+matrix_jitsi_ldap_version: "3"
+matrix_jitsi_ldap_use_tls: true
+matrix_jitsi_ldap_tls_ciphers: ""
+matrix_jitsi_ldap_tls_check_peer: true
+matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
+matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
+matrix_jitsi_ldap_start_tls: false
 ```

 For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@ -3,7 +3,7 @@
 By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.<your-domain>` and possibly `element.<your-domain>`)

 Those certificates are used when configuring the nginx reverse proxy installed by this playbook.
-They can also be used for configuring [your own webserver](docs/configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
+They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.

 If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below.

@ -13,7 +13,7 @@ Things discussed in this document:

 - [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server

- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](docs/configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
+- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you

 - [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically

--- a/docs/importing-sqlite.md
+++ b/docs/importing-sqlite.md
@ -20,4 +20,7 @@ Run this command (make sure to replace `<server-path-to-homeserver.db>` with a f

 	ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=<server-path-to-homeserver.db>' --tags=import-sqlite-db

-**Note**: `<server-path-to-homeserver.db>` must be a file path to a `homeserver.db` file on the server (not on your local machine!).
+**Notes**:
+
+- `<server-path-to-homeserver.db>` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!).
+- if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise.
--- a/docs/maintenance-postgres.md
+++ b/docs/maintenance-postgres.md
@ -45,7 +45,7 @@ docker run \
 --log-driver=none \
 --network=matrix \
 --env-file=/matrix/postgres/env-postgres-psql \
-postgres:12.4-alpine \
+postgres:13.0-alpine \
 pg_dumpall -h matrix-postgres \
 | gzip -c \
 > /postgres.sql.gz
--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@ -0,0 +1,147 @@
+matrix.DOMAIN.tld {
+  @identity {
+        path /_matrix/identity/*
+  }
+
+  @noidentity {
+        not path /_matrix/identity/*
+  }
+
+  @search {
+        path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @nosearch {
+        not path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @static {
+        path /matrix/static-files/*
+  }
+
+  @nostatic {
+        not path /matrix/static-files/*
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # Disallow the site to be rendered within a frame (clickjacking protection)
+        X-Frame-Options "DENY"
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+                                                                                                                                                                                                                      167,9         79%
+  }
+
+  # Cache
+  header @static {
+        # Cache
+    Cache-Control "public, max-age=31536000"
+    defer
+  }
+
+  # identity
+  handle @identity {
+        reverse_proxy localhost:8090  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  # search
+  handle @search {
+        reverse_proxy localhost:8090   {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8008  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+}
+
+matrix.DOMAIN.tld:8448 {
+    handle {
+        encode zstd gzip
+
+        reverse_proxy 127.0.0.1:8048 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+    }
+}
+
+dimension.DOMAIN.tld {
+header {
+         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
+        	X-XSS-Protection "1; mode=block"
+        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        	X-Content-Type-Options "nosniff"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# X-Robots-Tag
+        	X-Robots-Tag "noindex, noarchive, nofollow"
+  	}
+
+    	handle {
+        	encode zstd gzip
+
+        	reverse_proxy localhost:8184  {
+               		header_up X-Forwarded-Port {http.request.port}
+               		header_up X-Forwarded-Proto {http.request.scheme}
+               		header_up X-Forwarded-TlsProto {tls_protocol}
+               		header_up X-Forwarded-TlsCipher {tls_cipher}
+               		header_up X-Forwarded-HttpsProto {proto}
+        	}
+  	}
+}
+
+element.DOMAIN.tld {
+ 	header {
+         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
+        	X-XSS-Protection "1; mode=block"
+        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        	X-Content-Type-Options "nosniff"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# X-Robots-Tag
+        	X-Robots-Tag "noindex, noarchive, nofollow"
+  	}
+
+        handle {
+              encode zstd gzip
+
+              reverse_proxy localhost:8765 {
+                     header_up X-Forwarded-Port {http.request.port}
+                     header_up X-Forwarded-Proto {http.request.scheme}
+                     header_up X-Forwarded-TlsProto {tls_protocol}
+                     header_up X-Forwarded-TlsCipher {tls_cipher}
+                     header_up X-Forwarded-HttpsProto {proto}
+        }
+}
--- a/examples/host-vars.yml
+++ b/examples/host-vars.yml
@ -4,6 +4,9 @@
 # Note: this playbook does not touch the server referenced here.
 # Installation happens on another server ("matrix.<matrix-domain>").
 #
+# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, 
+# because you can't change the Domain after deployment.
+#
 # Example value: example.com
 matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -18,8 +18,6 @@

 matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}"

-matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
-
 ######################################################################
 #
 # /matrix-base
@ -1045,6 +1043,8 @@ matrix_synapse_admin_enabled: false
 # Synapse Admin's HTTP port to the local host.
 matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}"

+matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 ######################################################################
 #
 # /matrix-synapse-admin
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -59,13 +59,13 @@ matrix_integration_manager_ui_url: ~

 # The domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
-# See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server
-matrix_riot_jitsi_preferredDomain: ''
+# See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
+matrix_client_element_jitsi_preferredDomain: ''

 # Controls whether Element should use End-to-End Encryption by default.
 # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
-# See: https://github.com/vector-im/riot-web/blob/develop/docs/e2ee.md
-matrix_riot_e2ee_default: true
+# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
+matrix_client_element_e2ee_default: true

 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"
--- a/roles/matrix-base/tasks/sanity_check.yml
+++ b/roles/matrix-base/tasks/sanity_check.yml
@ -1,19 +1,10 @@
 ---

- set_fact:
-    matrix_ansible_outdated_fail_msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md"
-
- name: Fail if running on Ansible < 2.5
-  fail:
-    msg: "{{ matrix_ansible_outdated_fail_msg }}"
-  when: "ansible_version.major <= 2 and ansible_version.minor < 5"
-
-# Ansible 2.5.0 and 2.5.1 are known to have a bug with `include_tasks` + `with_items`.
-# The bug has been fixed in Ansible 2.5.2.
- name: Fail if running on Ansible 2.5.x (lower than 2.5.2)
+# We generally support Ansible 2.7.0 and above.
+- name: Fail if running on Ansible < 2.7
  fail:
-    msg: "{{ matrix_ansible_outdated_fail_msg }}"
-  when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2"
+    msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md"
+  when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 7)"

 - name: (Deprecation) Catch and report renamed settings
  fail:
--- a/roles/matrix-base/tasks/setup_matrix_user.yml
+++ b/roles/matrix-base/tasks/setup_matrix_user.yml
@ -17,6 +17,9 @@
    uid: "{{ omit if matrix_user_uid is none else matrix_user_uid }}"
    state: present
    group: "{{ matrix_user_groupname }}"
+    home: "{{ matrix_base_data_path }}"
+    create_home: no
+    system: yes
  register: matrix_user

 - name: Set Matrix Group UID Variable
--- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
@ -18,12 +18,18 @@
 		]
 	}
 	{% endif %}
-	{% if matrix_riot_jitsi_preferredDomain %},
+	{% if matrix_client_element_jitsi_preferredDomain %},
+	"io.element.jitsi": {
+		"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
+	},
 	"im.vector.riot.jitsi": {
-		"preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }}
+		"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
 	}
 	{% endif %}
-	{% if not matrix_riot_e2ee_default %},
+	{% if not matrix_client_element_e2ee_default %},
+	"io.element.e2ee": {
+		"default": false
+	},
 	"im.vector.riot.e2ee": {
 		"default": false
 	}
--- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
+++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_bot_matrix_reminder_bot_enabled: true

-matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-0.1.0"
+matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-v0.2.0"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"

 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_appservice_slack_enabled: true

-matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair"
+matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.5.0"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

 matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
--- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
+++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
@ -1,6 +1,6 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
-Description=Matrix mx-puppet-instagram bridge
+Description=Matrix Mx Puppet Instagram server
 {% for service in matrix_mx_puppet_instagram_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -2,7 +2,7 @@ matrix_client_element_enabled: true

 matrix_client_element_container_image_self_build: false

-matrix_client_element_docker_image: "vectorim/riot-web:v1.7.5"
+matrix_client_element_docker_image: "vectorim/riot-web:v1.7.8"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

 matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"
@ -30,9 +30,11 @@ matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_client_element_integrations_widgets_urls: ["https://scalar.vector.im/api"]
 matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_client_element_permalinkPrefix: "https://matrix.to"
+matrix_client_element_bug_report_endpoint_url: "https://element.io/bugreports/submit"
+matrix_client_element_showLabsSettings: true
 # Element public room directory server(s)
 matrix_client_element_roomdir_servers: ['matrix.org']
-matrix_client_element_welcome_user_id: "@riot-bot:matrix.org"
+matrix_client_element_welcome_user_id: ~
 # Branding of Element
 matrix_client_element_brand: "Element"

--- a/roles/matrix-client-element/templates/config.json.j2
+++ b/roles/matrix-client-element/templates/config.json.j2
@ -20,8 +20,8 @@
 	"integrations_rest_url": {{ matrix_client_element_integrations_rest_url|string|to_json }},
 	"integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls|to_json }},
 	"integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url|string|to_json }},
-	"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
-	"enableLabs": true,
+	"bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url|to_json }},
+	"showLabsSettings": {{ matrix_client_element_showLabsSettings|to_json }},
 	"roomDirectory": {
 		"servers": {{ matrix_client_element_roomdir_servers|to_json }}
 	},
--- a/roles/matrix-client-element/templates/welcome.html.j2
+++ b/roles/matrix-client-element/templates/welcome.html.j2
@ -97,19 +97,10 @@ h1::after {
    color: #2e2f32 !important;
 }

-.mx_ButtonHeadline {
-    margin-bottom: 14px;
-}
-
 .mx_ButtonLabel {
    margin-left: 20px;
 }

-.mx_ButtonWrapperText {
-    font-size: 13px;
-    margin-bottom: 10px;
-}
-
 .mx_Header_title {
    font-size: 24px;
    font-weight: 600;
@ -128,7 +119,7 @@ h1::after {
 }

 .mx_ButtonCreateAccount {
-    background-color: #03B381;
+    background-color: #0DBD8B;
    color: white !important;
 }

@ -150,6 +141,32 @@ h1::after {
    background-image: url('welcome/images/icon-room-directory.svg');
 }

+/*
+.mx_WelcomePage_loggedIn is applied by EmbeddedPage from the Welcome component
+If it is set on the page, we should show the buttons. Otherwise, we have to assume
+we don't have an account and should hide them. No account == no guest account either.
+ */
+.mx_WelcomePage:not(.mx_WelcomePage_loggedIn) .mx_WelcomePage_guestFunctions {
+    display: none;
+}
+
+.mx_ButtonRow.mx_WelcomePage_guestFunctions {
+    margin-top: 20px;
+}
+.mx_ButtonRow.mx_WelcomePage_guestFunctions > div {
+    margin: 0 auto;
+}
+
+@media only screen and (max-width: 480px) {
+    .mx_ButtonRow {
+        flex-direction: column;
+    }
+
+    .mx_ButtonRow > * {
+        margin: 0 0 10px 0;
+    }
+}
+
 </style>

 <div class="mx_Parent">
@ -175,17 +192,10 @@ h1::after {
             See https://github.com/vector-im/riot-web/issues/8622.
             TODO: Convert to config option if possible. -->
        <!-- BEGIN Ansible: Remove these lines when guest access is disabled -->
-        <div class="mx_ButtonRow">
-            <div>
-                <div class="mx_ButtonWrapperText">_t("Need help?")</div>
-                <a href="#/user/@riot-bot:matrix.org?action=chat" class="mx_ButtonParent mx_SecondaryButton mx_Button_iconHelp">
-                    <div class="mx_ButtonLabel">_t("Chat with Riot Bot")</div>
-                </a>
-            </div>
+        <div class="mx_ButtonRow mx_WelcomePage_guestFunctions">
            <div>
-                <div class="mx_ButtonWrapperText">_t("Explore rooms")</div>
                <a href="#/directory" class="mx_ButtonParent mx_SecondaryButton mx_Button_iconRoomDirectory">
-                    <div class="mx_ButtonLabel">_t("Room Directory")</div>
+                    <div class="mx_ButtonLabel">_t("Explore rooms")</div>
                </a>
            </div>
        </div>
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

-matrix_corporal_docker_image: "devture/matrix-corporal:1.9.0"
+matrix_corporal_docker_image: "devture/matrix-corporal:1.11.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"

 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@ -27,7 +27,7 @@ matrix_dimension_container_http_host_bind_port: ''
 # A list of extra arguments to pass to the container
 matrix_dimension_container_extra_arguments: []

-matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
+matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
 matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
 matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@ -12,7 +12,8 @@ matrix_postgres_docker_image_v9: "postgres:9.6.19-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.14-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.9-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.4-alpine"
-matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"
+matrix_postgres_docker_image_v13: "postgres:13.0-alpine"
+matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
 matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}'
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@ -81,6 +81,6 @@
    --entrypoint=python
    -v {{ matrix_synapse_config_dir_path }}:/data
    -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store
-    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
+    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}
    {{ matrix_synapse_docker_image }}
    /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml
--- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml
+++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml
@ -49,3 +49,8 @@
  set_fact:
    matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}"
  when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')"
+
+- name: Determine corresponding Docker image to detected version (use 12.x, if detected)
+  set_fact:
+    matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}"
+  when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')"
--- a/roles/matrix-synapse-admin/defaults/main.yml
+++ b/roles/matrix-synapse-admin/defaults/main.yml
@ -7,7 +7,7 @@ matrix_synapse_admin_container_self_build: false
 matrix_synapse_admin_docker_repo: "https://github.com/Awesome-Technologies/synapse-admin.git"
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"

-matrix_synapse_admin_docker_image: "awesometechnologies/synapse-admin:0.4.1"
+matrix_synapse_admin_docker_image: "awesometechnologies/synapse-admin:0.5.0"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

 # A list of extra arguments to pass to the container
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -5,7 +5,7 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.19.1"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.20.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -399,11 +399,10 @@ retention:
  #  min_lifetime: 1d
  #  max_lifetime: 1y

-  # Retention policy limits. If set, a user won't be able to send a
-  # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime'
-  # that's not within this range. This is especially useful in closed federations,
-  # in which server admins can make sure every federating server applies the same
-  # rules.
+  # Retention policy limits. If set, and the state of a room contains a
+  # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
+  # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
+  # to these limits when running purge jobs.
  #
  #allowed_lifetime_min: 1d
  #allowed_lifetime_max: 1y
@ -423,18 +422,19 @@ retention:
  # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
  # which 'max_lifetime' is lower than or equal to three days.
  #
-  # The rationale for this per-job configuration is that some rooms might have a
-  # retention policy with a low 'max_lifetime', where history needs to be purged
-  # of outdated messages on a more frequent basis than for the rest of the rooms
-  # (e.g. every 12h), but not want that purge to be performed by a job that's
-  # iterating over every room it knows, which could be heavy on the server.
+  # If any purge job is configured, it is strongly recommended to have at least
+  # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
+  # set, or one job without 'shortest_max_lifetime' and one job without
+  # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
+  # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
+  # room's policy to these values is done after the policies are retrieved from
+  # Synapse's database (which is done using the range specified in a purge job's
+  # configuration).
  #
  #purge_jobs:
-  #  - shortest_max_lifetime: 1d
-  #    longest_max_lifetime: 3d
+  #  - longest_max_lifetime: 3d
  #    interval: 12h
  #  - shortest_max_lifetime: 3d
-  #    longest_max_lifetime: 1y
  #    interval: 1d

 # Inhibits the /requestToken endpoints from returning an error that might leak
@ -1957,9 +1957,7 @@ email:
  # Directory in which Synapse will try to find the template files below.
  # If not set, default templates from within the Synapse package will be used.
  #
-  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
-  # If you *do* uncomment it, you will need to make sure that all the templates
-  # below are in the directory.
+  # Do not uncomment this setting unless you want to customise the templates.
  #
  # Synapse will look for the following templates in this directory:
  #