Announce appservice-double-puppet

Shared Secret Auth double puppeting still works for this bridge, but
is deprecated and will go away in the future.

CHANGELOG.md

@@ -1,3 +1,26 @@
+# 2024-08-17
+
+## New appservice-double-puppet service for better double-puppeting
+
+Mautrix bridges are undergoing large changes as announced in the [August 2024 releases & progress](https://mau.fi/blog/2024-08-mautrix-release/) blog post.
+
+The playbook has already upgraded to the rewritten mautrix-slack ([v0.1.0](https://github.com/mautrix/slack/releases/tag/v0.1.0)) and mautrix-signal ([v0.7.0](https://github.com/mautrix/signal/releases/tag/v0.7.0)) bridges.
+
+The newly rewritten bridges do not support double-puppeting via [Shared Secret Auth](./docs/configuring-playbook-shared-secret-auth.md) anymore, which has prompted us to switch to the new & better [appservice method](https://docs.mau.fi/bridges/general/double-puppeting.html#appservice-method-new) for double-puppeting. The playbook automates this double-puppeting setup for you if you enable the new [Appservice Double Puppet](./docs/configuring-playbook-appservice-double-puppet.md) service.
+
+All non-deprecated mautrix bridges in the playbook have been reworked to support double-puppeting via an Appservice. Most bridges still support double-puppeting via [Shared Secret Auth](./docs/configuring-playbook-shared-secret-auth.md), so the playbook supports it too. If only Shared Secret Auth is enabled, double-puppeting will be configured using that method (for the bridges that support it). That said, **Shared Secret Auth double-puppeting is being phased out and we recommend replacing it with the new Appservice method**.
+
+We recommend **enabling double-puppeting via the new Appservice method** by adding the following configuration to your `vars.yml` file:
+
+```yml
+matrix_appservice_double_puppet_enabled: true
+```
+
+You can still **keep** [Shared Secret Auth](./docs/configuring-playbook-shared-secret-auth.md) enabled. Non-mautrix bridges and other services (e.g. [matrix-corporal](./docs/configuring-playbook-matrix-corporal.md)) may still require it.
+
+When both double-puppeting methods are enabled, the playbook will automatically choose the new and better Appservice method for bridges that support it.
+
+
 # 2024-08-15
 
 ## matrix-media-repo now configured for Authenticated Media

docs/configuring-playbook-appservice-double-puppet.md

@@ -0,0 +1,15 @@
+# Setting up Appservice Double Puppet (optional)
+
+Appservice Double Puppet is a homeserver appservice through which bridges (and potentially other services) can impersonate any user on the homeserver.
+
+This is useful for performing [double-puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) via the [appservice method](https://docs.mau.fi/bridges/general/double-puppeting.html#appservice-method-new). The Appservice Double Puppet service is an implementation of this approach.
+
+Previously, bridges supported performing [double-puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) with the help of the [Shared Secret Auth password provider module](./configuring-playbook-shared-secret-auth.md), but this old and hacky solution has been superseded by this Appservice Double Puppet method.
+
+To enable the Appservice Double Puppet service, adjust your `vars.yml` configuration like this and [re-run the playbook](./installing.md) (`just install-all`):
+
+```yml
+matrix_appservice_double_puppet_enabled: true
+```
+
+When enabled, double puppeting will automatically be enabled for all bridges that support double puppeting via the appservice method.

docs/configuring-playbook-bridge-beeper-linkedin.md

@@ -30,11 +30,13 @@ matrix_beeper_linkedin_configuration_extension_yaml: |
 You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2` to find other things you would like to configure.
 
 
-## Set up Double Puppeting
+## Set up Double Puppeting by enabling Appservice Double Puppet or Shared Secret Auth
 
-If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 
 ## Usage

docs/configuring-playbook-bridge-mautrix-discord.md

@@ -44,11 +44,13 @@ Take a look at:
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-#### Method 1: automatically, by enabling Shared Secret Auth
+#### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 #### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-gmessages.md

@@ -14,11 +14,13 @@ matrix_mautrix_gmessages_enabled: true
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-googlechat.md

@@ -16,11 +16,13 @@ matrix_mautrix_googlechat_enabled: true
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 
 ### Method 2: manually, by asking each user to provide a working access token

docs/configuring-playbook-bridge-mautrix-meta-instagram.md

@@ -66,11 +66,13 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-meta-instagram/templ
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-meta-messenger.md

@@ -77,11 +77,13 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-meta-messenger/templ
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-signal.md

@@ -56,9 +56,9 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-signal/templates/con
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 

docs/configuring-playbook-bridge-mautrix-slack.md

@@ -47,9 +47,9 @@ Take a look at:
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-#### Method 1: automatically, by enabling Shared Secret Auth
+#### Method 1: automatically, by enabling Appservice Double Puppet
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 

docs/configuring-playbook-bridge-mautrix-telegram.md

@@ -16,11 +16,13 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-twitter.md

@@ -15,11 +15,13 @@ matrix_mautrix_twitter_enabled: true
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-bridge-mautrix-whatsapp.md

@@ -8,7 +8,7 @@ Use the following playbook configuration:
 
 ```yaml
 matrix_mautrix_whatsapp_enabled: true
-``` 
+```
 Whatsapp multidevice beta is required, now it is enough if Whatsapp is connected to the Internet every 2 weeks.
 
 The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file:
@@ -28,11 +28,13 @@ Use `!wa unset-relay` to deactivate.
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
 
-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 
 ### Method 2: manually, by asking each user to provide a working access token
 

docs/configuring-playbook-mautrix-bridges.md

@@ -96,19 +96,14 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-SERVICENAME/template
 
 ## Set up Double Puppeting
 
-To set up  [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html)
-
-please do so automatically, by enabling Shared Secret Auth
+To set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 
 The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook by adding
 
 ```yaml
-matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
-matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
+matrix_appservice_double_puppet_enabled: true
 ```
 
-You should generate a strong shared secret with a command like this: pwgen -s 64 1
-
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 
 ## Controlling the logging level
@@ -117,7 +112,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 matrix_mautrix_SERVICENAME_logging_level: WARN
 ```
 
-to `vars.yml` to control the logging level, where you may replace WARN with one of the following to control the verbosity of the logs generated:     TRACE, DEBUG, INFO, WARN, ERROR, or FATAL.
+to `vars.yml` to control the logging level, where you may replace WARN with one of the following to control the verbosity of the logs generated: TRACE, DEBUG, INFO, WARN, ERROR, or FATAL.
 
 If you have issues with a service, and are requesting support, the higher levels of logging will generally be more helpful.
 

docs/configuring-playbook.md

@@ -89,6 +89,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 ### Authentication and user-related
 
+- [Setting up Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) (optional)
+
 - [Setting up an ma1sd Identity Server](configuring-playbook-ma1sd.md) (optional)
 
 - [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)

group_vars/matrix_servers

@@ -84,6 +84,8 @@ matrix_homeserver_container_extra_arguments_auto: |
     +
     (['--mount type=bind,src=' + matrix_appservice_draupnir_for_all_config_path + '/draupnir-for-all-registration.yaml,dst=/matrix-appservice-draupnir-for-all-registration.yaml,ro'] if matrix_appservice_draupnir_for_all_enabled else [])
     +
+    (['--mount type=bind,src=' + matrix_appservice_double_puppet_config_path + '/registration.yaml,dst=/matrix-appservice-double-puppet-registration.yaml,ro'] if matrix_appservice_double_puppet_enabled else [])
+    +
     (['--mount type=bind,src=' + matrix_appservice_irc_config_path + '/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro'] if matrix_appservice_irc_enabled else [])
     +
     (['--mount type=bind,src=' + matrix_appservice_kakaotalk_config_path + '/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro'] if matrix_appservice_kakaotalk_enabled else [])
@@ -155,6 +157,8 @@ matrix_homeserver_app_service_config_files_auto: |
     +
     (['/matrix-appservice-draupnir-for-all-registration.yaml'] if matrix_appservice_draupnir_for_all_enabled else [])
     +
+    (['/matrix-appservice-double-puppet-registration.yaml'] if matrix_appservice_double_puppet_enabled else [])
+    +
     (['/matrix-appservice-irc-registration.yaml'] if matrix_appservice_irc_enabled else [])
     +
     (['/matrix-appservice-kakaotalk-registration.yaml'] if matrix_appservice_kakaotalk_enabled else [])
@@ -898,7 +902,16 @@ matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_beeper_linkedin_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_beeper_linkedin_login_shared_secret: |-
+  {{
+    ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    if matrix_appservice_double_puppet_enabled
+    else (
+      matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else ""
+    )
+  }}
 
 matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
 
@@ -995,7 +1008,18 @@ matrix_mautrix_discord_homeserver_address: "{{ matrix_addons_homeserver_client_a
 matrix_mautrix_discord_homeserver_public_address: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_discord_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_discord_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_discord_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
@@ -1043,13 +1067,23 @@ matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_gener
 matrix_mautrix_slack_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_slack_double_puppet_secrets_auto: |-
+  {{
+    {
+      matrix_mautrix_slack_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    }
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
 
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_mautrix_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_mautrix_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.db', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_slack_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.slack.prov', rounds=655555) | to_uuid }}"
+matrix_mautrix_slack_public_media_signing_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.slack.pmed', rounds=655555) | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-slack
@@ -1179,7 +1213,16 @@ matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_
 matrix_mautrix_googlechat_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_googlechat_login_shared_secret: |-
+  {{
+    ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    if matrix_appservice_double_puppet_enabled
+    else (
+      matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else ""
+    )
+  }}
 
 matrix_mautrix_googlechat_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1378,7 +1421,14 @@ matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_gene
 
 matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_signal_double_puppet_secrets_auto: |-
+  {{
+    {
+      matrix_mautrix_signal_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    }
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
 
 matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1390,6 +1440,9 @@ matrix_mautrix_signal_database_engine: "{{ 'postgres' if devture_postgres_enable
 matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
 
+matrix_mautrix_signal_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.prov', rounds=655555) | to_uuid }}"
+matrix_mautrix_signal_public_media_signing_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.pmed', rounds=655555) | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-signal
@@ -1442,7 +1495,18 @@ matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_c
 
 matrix_mautrix_meta_messenger_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.hs', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_meta_messenger_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_meta_messenger_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_meta_messenger_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 matrix_mautrix_meta_messenger_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1509,7 +1573,18 @@ matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_c
 
 matrix_mautrix_meta_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.hs', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_meta_instagram_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_meta_instagram_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_meta_instagram_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 matrix_mautrix_meta_instagram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1583,7 +1658,18 @@ matrix_mautrix_telegram_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_telegram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_telegram_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_telegram_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 matrix_mautrix_telegram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1646,7 +1732,18 @@ matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_gen
 matrix_mautrix_twitter_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_twitter_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_twitter_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_twitter_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1707,7 +1804,16 @@ matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_g
 matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_gmessages_login_shared_secret: |-
+  {{
+    ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    if matrix_appservice_double_puppet_enabled
+    else (
+      matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else ""
+    )
+  }}
 
 matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -1871,7 +1977,18 @@ matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_ge
 matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_whatsapp_bridge_login_shared_secret_map_auto: |-
+  {{
+    ({
+      matrix_mautrix_whatsapp_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    })
+    if matrix_appservice_double_puppet_enabled
+    else (
+      {matrix_mautrix_whatsapp_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
+      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
+      else {}
+    )
+  }}
 
 matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
@@ -2885,6 +3002,24 @@ matrix_appservice_draupnir_for_all_database_password: "{{ '%s' | format(matrix_h
 ######################################################################
 
 
+######################################################################
+#
+# matrix-appservice-double-puppet
+#
+######################################################################
+
+matrix_appservice_double_puppet_enabled: false
+
+matrix_appservice_double_puppet_registration_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.doub.pup', rounds=655555) | to_uuid }}"
+matrix_appservice_double_puppet_registration_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hs.doub.pup', rounds=655555) | to_uuid }}"
+
+######################################################################
+#
+# /matrix-appservice-double-puppet
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-pantalaimon

roles/custom/matrix-appservice-double-puppet/defaults/main.yml

@@ -0,0 +1,38 @@
+matrix_appservice_double_puppet_enabled: true
+
+matrix_appservice_double_puppet_base_path: "{{ matrix_base_data_path }}/appservice-double-puppet"
+matrix_appservice_double_puppet_config_path: "{{ matrix_appservice_double_puppet_base_path }}/config"
+
+matrix_appservice_double_puppet_registration_id: double-puppet
+matrix_appservice_double_puppet_registration_url: ~
+matrix_appservice_double_puppet_registration_as_token: ''
+matrix_appservice_double_puppet_registration_hs_token: ''
+matrix_appservice_double_puppet_registration_sender_localpart: appservice-double-puppet
+
+matrix_appservice_double_puppet_registration_namespace_user_regex: "{{ '@.*:' + (matrix_domain | regex_escape) }}"
+
+# Default matrix-appservice-double-puppet registration configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_appservice_double_puppet_registration_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_appservice_double_puppet_registration_configuration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}"
+
+matrix_appservice_double_puppet_registration_configuration_extension_yaml: |
+  # Your custom YAML configuration for matrix-appservice-double-puppet goes here.
+  # This configuration extends the default starting configuration (`matrix_appservice_double_puppet_registration_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_appservice_double_puppet_registration_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # rate_limited: true
+
+matrix_appservice_double_puppet_registration_configuration_extension: "{{ matrix_appservice_double_puppet_registration_configuration_extension_yaml | from_yaml if matrix_appservice_double_puppet_registration_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final matrix-appservice-double-puppet configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_appservice_double_puppet_registration_configuration_yaml`.
+matrix_appservice_double_puppet_registration_configuration: "{{ matrix_appservice_double_puppet_registration_configuration_yaml | from_yaml | combine(matrix_appservice_double_puppet_registration_configuration_extension, recursive=True) }}"

roles/custom/matrix-appservice-double-puppet/tasks/install.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Ensure matrix-appservice-double-puppet paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_appservice_double_puppet_base_path }}"
+      when: true
+    - path: "{{ matrix_appservice_double_puppet_config_path }}"
+      when: true
+  when: item.when | bool
+
+- name: Ensure matrix-appservice-double-puppet registration configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_appservice_double_puppet_registration_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_appservice_double_puppet_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

roles/custom/matrix-appservice-double-puppet/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-appservice-double-puppet
+    - install-all
+    - install-appservice-double-puppet
+  block:
+    - when: matrix_appservice_double_puppet_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_appservice_double_puppet_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-appservice-double-puppet
+  block:
+    - when: not matrix_appservice_double_puppet_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-appservice-double-puppet/tasks/uninstall.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Ensure matrix-appservice-double-puppet paths don't exist
+  ansible.builtin.file:
+    path: "{{ matrix_appservice_double_puppet_base_path }}"
+    state: absent

roles/custom/matrix-appservice-double-puppet/tasks/validate_config.yml

@@ -0,0 +1,10 @@
+---
+- name: Fail if required matrix-appservice-double-puppet settings not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_appservice_double_puppet_registration_as_token', when: true}
+    - {'name': 'matrix_appservice_double_puppet_registration_as_token', when: true}
+    - {'name': 'matrix_appservice_double_puppet_registration_sender_localpart', when: true}

roles/custom/matrix-appservice-double-puppet/templates/registration.yaml.j2

@@ -0,0 +1,21 @@
+# The ID doesn't really matter, put whatever you want.
+id: {{ matrix_appservice_double_puppet_registration_id | to_json }}
+# The URL is intentionally left empty (null), as the homeserver shouldn't
+# push events anywhere for this extra appservice. If you use a
+# non-spec-compliant server, you may need to put some fake URL here.
+url: {{ matrix_appservice_double_puppet_registration_url | to_json }}
+# Generate random strings for these three fields. Only the as_token really
+# matters, hs_token is never used because there's no url, and the default
+# user (sender_localpart) is never used either.
+as_token: {{ matrix_appservice_double_puppet_registration_as_token | to_json }}
+hs_token: {{ matrix_appservice_double_puppet_registration_hs_token | to_json }}
+sender_localpart: {{ matrix_appservice_double_puppet_registration_sender_localpart | to_json}}
+# Bridges don't like ratelimiting. This should only apply when using the
+# as_token, normal user tokens will still be ratelimited.
+rate_limited: false
+namespaces:
+  users:
+  # Replace your\.domain with your server name (escape dots for regex)
+  - regex: {{ matrix_appservice_double_puppet_registration_namespace_user_regex | to_json }}
+    # This must be false so the appservice doesn't take over all users completely.
+    exclusive: false

roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml

@@ -88,7 +88,7 @@ matrix_beeper_linkedin_appservice_database_uri: "{{
 }}"
 
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth) or Appservice Double Puppet.
 matrix_beeper_linkedin_login_shared_secret: ''
 
 # Specifies the default log level for all bridge loggers.

roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml

@@ -100,10 +100,9 @@ matrix_mautrix_discord_appservice_database_uri: "{{
 	}[matrix_mautrix_discord_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_discord_login_shared_secret: ''
-matrix_mautrix_discord_bridge_login_shared_secret_map:
-  "{{ {matrix_mautrix_discord_homeserver_domain: matrix_mautrix_discord_login_shared_secret} if matrix_mautrix_discord_login_shared_secret else {} }}"
+matrix_mautrix_discord_bridge_login_shared_secret_map: "{{ matrix_mautrix_discord_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_discord_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_discord_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_discord_bridge_login_shared_secret_map_custom: {}
 
 # Servers to always allow double puppeting from
 matrix_mautrix_discord_bridge_double_puppet_server_map:

roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml

@@ -12,3 +12,12 @@
     - {'name': 'matrix_mautrix_discord_homeserver_public_address', when: true}
     - {'name': 'matrix_mautrix_discord_container_network', when: true}
     - {'name': 'matrix_mautrix_discord_database_hostname', when: "{{ matrix_mautrix_discord_database_engine == 'postgres' }}"}
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_discord_login_shared_secret', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -132,7 +132,7 @@ matrix_mautrix_gmessages_appservice_database_uri: "{{
 	}[matrix_mautrix_gmessages_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth) or Appservice Double Puppet.
 matrix_mautrix_gmessages_login_shared_secret: ''
 matrix_mautrix_gmessages_bridge_login_shared_secret_map:
   "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}"

roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml

@@ -141,7 +141,7 @@ matrix_mautrix_googlechat_appservice_database: "{{
 }}"
 
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth) or Appservice Double Puppet.
 matrix_mautrix_googlechat_login_shared_secret: ''
 
 matrix_mautrix_googlechat_appservice_bot_username: googlechatbot

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -214,10 +214,9 @@ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing: "{{ matrix_ma
 matrix_mautrix_meta_instagram_bridge_encryption_appservice: false
 matrix_mautrix_meta_instagram_bridge_encryption_require: false
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_meta_instagram_bridge_login_shared_secret: ''
-
-matrix_mautrix_meta_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_meta_instagram_homeserver_domain: matrix_mautrix_meta_instagram_bridge_login_shared_secret} if matrix_mautrix_meta_instagram_bridge_login_shared_secret else {} }}"
+matrix_mautrix_meta_instagram_bridge_login_shared_secret_map: "{{ matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_custom: {}
 
 matrix_mautrix_meta_instagram_bridge_permissions: "{{ matrix_mautrix_meta_instagram_bridge_permissions_default | combine(matrix_mautrix_meta_instagram_bridge_permissions_custom) }}"
 

roles/custom/matrix-bridge-mautrix-meta-instagram/tasks/validate_config.yml

@@ -14,3 +14,12 @@
     - {'name': 'matrix_mautrix_meta_instagram_homeserver_address', when: true}
     - {'name': 'matrix_mautrix_meta_instagram_database_hostname', when: "{{ matrix_mautrix_meta_instagram_database_engine == 'postgres' }}"}
     - {'name': 'matrix_mautrix_meta_instagram_database_password', when: "{{ matrix_mautrix_meta_instagram_database_engine == 'postgres' }}"}
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_meta_instagram_bridge_login_shared_secret', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -214,10 +214,9 @@ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing: "{{ matrix_ma
 matrix_mautrix_meta_messenger_bridge_encryption_appservice: false
 matrix_mautrix_meta_messenger_bridge_encryption_require: false
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_meta_messenger_bridge_login_shared_secret: ''
-
-matrix_mautrix_meta_messenger_bridge_login_shared_secret_map: "{{ {matrix_mautrix_meta_messenger_homeserver_domain: matrix_mautrix_meta_messenger_bridge_login_shared_secret} if matrix_mautrix_meta_messenger_bridge_login_shared_secret else {} }}"
+matrix_mautrix_meta_messenger_bridge_login_shared_secret_map: "{{ matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_custom: {}
 
 matrix_mautrix_meta_messenger_bridge_permissions: "{{ matrix_mautrix_meta_messenger_bridge_permissions_default | combine(matrix_mautrix_meta_messenger_bridge_permissions_custom) }}"
 

roles/custom/matrix-bridge-mautrix-meta-messenger/tasks/validate_config.yml

@@ -14,3 +14,12 @@
     - {'name': 'matrix_mautrix_meta_messenger_homeserver_address', when: true}
     - {'name': 'matrix_mautrix_meta_messenger_database_hostname', when: "{{ matrix_mautrix_meta_messenger_database_engine == 'postgres' }}"}
     - {'name': 'matrix_mautrix_meta_messenger_database_password', when: "{{ matrix_mautrix_meta_messenger_database_engine == 'postgres' }}"}
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_meta_messenger_bridge_login_shared_secret', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.6.3
+matrix_mautrix_signal_version: v0.7.0
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -145,14 +145,9 @@ matrix_mautrix_signal_appservice_database_uri: "{{
 	}[matrix_mautrix_signal_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_signal_login_shared_secret: ''
-matrix_mautrix_signal_bridge_login_shared_secret_map:
-  "{{ {matrix_mautrix_signal_homeserver_domain: matrix_mautrix_signal_login_shared_secret} if matrix_mautrix_signal_login_shared_secret else {} }}"
-
-# Servers to always allow double puppeting from
-matrix_mautrix_signal_bridge_double_puppet_server_map:
-  "{{ matrix_mautrix_signal_homeserver_domain :  matrix_mautrix_signal_homeserver_address }}"
+matrix_mautrix_signal_double_puppet_secrets: "{{ matrix_mautrix_signal_double_puppet_secrets_auto | combine(matrix_mautrix_signal_double_puppet_secrets_custom) }}"
+matrix_mautrix_signal_double_puppet_secrets_auto: {}
+matrix_mautrix_signal_double_puppet_secrets_custom: {}
 
 # Default mautrix-signal configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
@@ -201,8 +196,7 @@ matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_si
 
 matrix_mautrix_signal_bridge_personal_filtering_spaces: true
 
-# On conduit versions before 0.5.0 this option prevented users from joining spaces created by the bridge.
-# Setting this to false fixed the issue.
-matrix_mautrix_signal_bridge_restricted_rooms: true
+matrix_mautrix_signal_network_note_to_self_avatar: "mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL"
 
-matrix_mautrix_signal_bridge_note_to_self_avatar: "mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL"
+matrix_mautrix_signal_provisioning_shared_secret: ''
+matrix_mautrix_signal_public_media_signing_key: ''

roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml

@@ -22,3 +22,8 @@
   when: "item.old in vars"
   with_items:
     - {'old': 'matrix_mautrix_signal_log_level', 'new': 'matrix_mautrix_signal_logging_level'}
+    - {'old': 'matrix_mautrix_signal_bridge_restricted_rooms', 'new': '<removed>'}
+    - {'old': 'matrix_mautrix_signal_bridge_note_to_self_avatar', 'new': 'matrix_mautrix_signal_network_note_to_self_avatar'}
+    - {'old': 'matrix_mautrix_signal_login_shared_secret', 'new': '<removed>'}
+    - {'old': 'matrix_mautrix_signal_bridge_login_shared_secret_map', 'new': '<superseded by matrix_mautrix_signal_double_puppet_secrets>'}
+    - {'old': 'matrix_mautrix_signal_bridge_double_puppet_server_map', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -1,19 +1,162 @@
 #jinja2: lstrip_blocks: "True"
-# Homeserver details
+# Network-specific config options
+network:
+    # Displayname template for Signal users.
+    # {% raw %}
+    # {{.ProfileName}} - The Signal profile name set by the user.
+    # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
+    # {{.PhoneNumber}} - The phone number of the user.
+    # {{.UUID}} - The UUID of the Signal user.
+    # {{.AboutEmoji}} - The emoji set by the user in their profile.
+    # {% endraw %}
+    displayname_template: "{% raw %}{{or .ProfileName .PhoneNumber 'Unknown user'}} (Signal){% endraw %}"
+    # Should avatars from the user's contact list be used? This is not safe on multi-user instances.
+    use_contact_avatars: false
+    # Should the bridge request the user's contact list from the phone on startup?
+    sync_contacts_on_startup: true
+    # Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
+    use_outdated_profiles: false
+    # Should the Signal user's phone number be included in the room topic in private chat portal rooms?
+    number_in_topic: true
+    # Default device name that shows up in the Signal app.
+    device_name: mautrix-signal
+    # Avatar image for the Note to Self room.
+    note_to_self_avatar: {{ matrix_mautrix_signal_network_note_to_self_avatar | to_json }}
+    # Format for generating URLs from location messages for sending to Signal.
+    # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
+    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
+    location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
+
+# Config options that affect the central bridge module.
+bridge:
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: {{ matrix_mautrix_signal_command_prefix | to_json }}
+    # Should the bridge create a space for each login containing the rooms that account is in?
+    personal_filtering_spaces: {{ matrix_mautrix_signal_bridge_personal_filtering_spaces | to_json }}
+    # Whether the bridge should set names and avatars explicitly for DM portals.
+    # This is only necessary when using clients that don't support MSC4171.
+    private_chat_portal_meta: true
+    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
+    bridge_matrix_leave: false
+    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
+    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
+    tag_only_on_create: true
+    # Should room mute status only be synced when creating the portal?
+    # Like tags, mutes can't currently be synced back to the remote network.
+    mute_only_on_create: true
+    # What should be done to portal rooms when a user logs out or is logged out?
+    # Permitted values:
+    #   nothing - Do nothing, let the user stay in the portals
+    #   kick - Remove the user from the portal rooms, but don't delete them
+    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
+    #   delete - Remove all ghosts and users from the room (i.e. delete it)
+    cleanup_on_logout:
+        # Should cleanup on logout be enabled at all?
+        enabled: false
+        # Settings for manual logouts (explicitly initiated by the Matrix user)
+        manual:
+            # Action for private portals which will never be shared with other Matrix users.
+            private: nothing
+            # Action for portals with a relay user configured.
+            relayed: nothing
+            # Action for portals which may be shared, but don't currently have any other Matrix users.
+            shared_no_users: nothing
+            # Action for portals which have other logged-in Matrix users.
+            shared_has_users: nothing
+        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
+        # Keys have the same meanings as in the manual section.
+        bad_credentials:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+
+    # Settings for relay mode
+    relay:
+        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
+        # authenticated user into a relaybot for that chat.
+        enabled: {{ matrix_mautrix_signal_bridge_relay_enabled | to_json }}
+        # Should only admins be allowed to set themselves as relay users?
+        # If true, non-admins can only set users listed in default_relays as relays in a room.
+        admin_only: {{ matrix_mautrix_signal_bridge_relay_admin_only | to_json }}
+        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
+        default_relays: []
+        # The formats to use when sending messages via the relaybot.
+        # Available variables:
+        #   .Sender.UserID - The Matrix user ID of the sender.
+        #   .Sender.Displayname - The display name of the sender (if set).
+        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
+        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
+        #                               plus the user ID in parentheses if the displayname is not unique.
+        #                               If the displayname is not set, this is just the user ID.
+        #   .Message - The `formatted_body` field of the message.
+        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
+        #   .FileName - The name of the file being sent.
+        message_formats:
+            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
+            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
+        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
+        # Note that you need to manually remove the displayname from message_formats above.
+        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
+    # commands - Access to use commands in the bridge, but not login.
+    #     user - Access to use the bridge with puppeting.
+    #    admin - Full access, user level with some additional administration tools.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions: {{ matrix_mautrix_signal_bridge_permissions | to_json }}
+
+# Config for the bridge's database.
+database:
+    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+    type: {{ matrix_mautrix_signal_appservice_database_type | to_json }}
+    # The database URI.
+    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+    #           https://github.com/mattn/go-sqlite3#connection-string
+    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+    uri: {{ matrix_mautrix_signal_appservice_database_uri | to_json }}
+    # Maximum number of connections.
+    max_open_conns: 20
+    max_idle_conns: 2
+    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+    # Parsed with https://pkg.go.dev/time#ParseDuration
+    max_conn_idle_time: null
+    max_conn_lifetime: null
+
+# Homeserver details.
 homeserver:
     # The address that this appservice can use to connect to the homeserver.
-    address: {{ matrix_mautrix_signal_homeserver_address }}
-    # The domain of the homeserver (for MXIDs, etc).
-    domain: {{ matrix_mautrix_signal_homeserver_domain }}
+    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
+    # but https also works if they run on different machines.
+    address: {{ matrix_mautrix_signal_homeserver_address | to_json }}
+    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+    domain: {{ matrix_mautrix_signal_homeserver_domain | to_json }}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
     software: standard
     # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
     # The bridge will use the appservice as_token to authorize requests.
     status_endpoint: null
     # Endpoint for reporting per-message status.
+    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
+    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
+    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
+    # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint: null
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
     async_media: false
@@ -26,33 +169,20 @@ homeserver:
     ping_interval_seconds: 0
 
 # Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
+# Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
     # The address that the homeserver can use to connect to this appservice.
     address: {{ matrix_mautrix_signal_appservice_address | to_json }}
 
+    # A public address that external services can use to reach this appservice.
+    # This value doesn't affect the registration file.
+    public_address: ""
+
     # The hostname and port where this appservice should listen.
+    # For Docker, you generally have to change the hostname to 0.0.0.0.
     hostname: 0.0.0.0
     port: 8080
 
-    # Database config.
-    database:
-        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
-        type: {{ matrix_mautrix_signal_appservice_database_type|to_json }}
-        # The database URI.
-        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
-        #           https://github.com/mattn/go-sqlite3#connection-string
-        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
-        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: {{ matrix_mautrix_signal_appservice_database_uri|to_json }}
-        # Maximum number of connections. Mostly relevant for Postgres.
-        max_open_conns: 20
-        max_idle_conns: 2
-        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
-        # Parsed with https://pkg.go.dev/time#ParseDuration
-        max_conn_idle_time: null
-        max_conn_lifetime: null
-
     # The unique ID of this appservice.
     id: signal
     # Appservice bot details.
@@ -64,242 +194,211 @@ appservice:
         displayname: signal bridge bot
         avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
 
-    # Whether or not to receive ephemeral events via appservice transactions.
-    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # Whether to receive ephemeral events via appservice transactions.
     ephemeral_events: true
-
     # Should incoming events be handled asynchronously?
     # This may be necessary for large public instances with lots of messages going through.
     # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+    # This value doesn't affect the registration file.
     async_transactions: false
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: {{ matrix_mautrix_signal_appservice_token | to_json }}
     hs_token: {{ matrix_mautrix_signal_homeserver_token | to_json }}
 
-# Prometheus config.
-metrics:
-    # Enable prometheus metrics?
-    enabled: {{ matrix_mautrix_signal_metrics_enabled | to_json }}
-    # IP and port where the metrics listener should be. The path is always /metrics
-    listen: 0.0.0.0:8000
-
-signal:
-    # Default device name that shows up in the Signal app.
-    device_name: mautrix-signal
-
-# Bridge config
-bridge:
-    # Localpart template of MXIDs for Signal users.
+    # Localpart template of MXIDs for remote users.
     # {{ '{{.}}' }} is replaced with the internal ID of the Signal user.
-    username_template: "{{ 'signal_{{.}}' }}"
-    # Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
-    # {% raw %}
-    # {{.ProfileName}} - The Signal profile name set by the user.
-    # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
-    # {{.PhoneNumber}} - The phone number of the user.
-    # {{.UUID}} - The UUID of the Signal user.
-    # {{.AboutEmoji}} - The emoji set by the user in their profile.
-    # {% endraw %}
-    displayname_template: "{{ '{{or .ProfileName .PhoneNumber "Unknown user"}} (Signal)' }}"
-    # Whether to explicitly set the avatar and room name for private chat portal rooms.
-    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
-    # If set to `always`, all DM rooms will have explicit names and avatars set.
-    # If set to `never`, DM rooms will never have names and avatars set.
-    private_chat_portal_meta: default
-    # Should avatars from the user's contact list be used? This is not safe on multi-user instances.
-    use_contact_avatars: false
-    # Should the Signal user's phone number be included in the room topic in private chat portal rooms?
-    number_in_topic: true
-    # Avatar image for the Note to Self room.
-    note_to_self_avatar: {{ matrix_mautrix_signal_bridge_note_to_self_avatar | to_json }}
+    username_template: "{% raw %}signal_{{.}}{% endraw %}"
 
-    portal_message_buffer: 128
-
-
-    # Should the bridge create a space for each logged-in user and add bridged rooms to it?
-    # Users who logged in before turning this on should run `!signal sync-space` to create and fill the space for the first time.
-    personal_filtering_spaces: {{ matrix_mautrix_signal_bridge_personal_filtering_spaces | to_json }}
-    # Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
-    delivery_receipts: false
-    # Should Matrix m.notice-type messages be bridged?
-    bridge_notices: true
+# Config options that affect the Matrix connector of the bridge.
+matrix:
     # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
     message_status_events: false
+    # Whether the bridge should send a read receipt after successfully bridging a message.
+    delivery_receipts: false
     # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
     message_error_notices: true
-    # Should the bridge update the m.direct account data event when double puppeting is enabled.
-    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
-    # and is therefore prone to race conditions.
+    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
     sync_direct_chat_list: false
-    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
-    # This field will automatically be changed back to false after it, except if the config file is not writable.
-    resend_bridge_info: false
-    # Send captions in the same message as images. This will send data compatible with both MSC2530.
-    # This is currently not supported in most clients.
-    caption_in_message: false
-    # Whether or not created rooms should have federation enabled.
-    # If false, created portal rooms will never be federated.
-    federate_rooms: {{ matrix_mautrix_signal_federate_rooms|to_json }}
-    # Servers to always allow double puppeting from
-    double_puppet_server_map:
-        "{{ matrix_mautrix_signal_homeserver_domain }}": {{ matrix_mautrix_signal_homeserver_address }}
-    # Allow using double puppeting from any server with a valid client .well-known file.
-    double_puppet_allow_discovery: false
-    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    # Whether created rooms should have federation enabled. If false, created portal rooms
+    # will never be federated. Changing this option requires recreating rooms.
+    federate_rooms: {{ matrix_mautrix_signal_federate_rooms | to_json }}
+
+# Settings for provisioning API
+provisioning:
+    # Prefix for the provisioning API paths.
+    prefix: /_matrix/provision
+    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
+    # or if set to "disable", the provisioning API will be disabled.
+    shared_secret: {{ matrix_mautrix_signal_provisioning_shared_secret | to_json }}
+    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
+    # This follows the same rules as double puppeting to determine which server to contact to check the token,
+    # which means that by default, it only works for users on the same server as the bridge.
+    allow_matrix_auth: true
+    # Enable debug API at /debug with provisioning authentication.
+    debug_endpoints: false
+
+# Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
+# These settings control whether the bridge will provide such public media access.
+public_media:
+    # Should public media be enabled at all?
+    # The public_address field under the appservice section MUST be set when enabling public media.
+    enabled: false
+    # A key for signing public media URLs.
+    # If set to "generate", a random key will be generated.
+    signing_key: {{ matrix_mautrix_signal_public_media_signing_key | to_json }}
+    # Number of seconds that public media URLs are valid for.
+    # If set to 0, URLs will never expire.
+    expiry: 0
+    # Length of hash to use for public media URLs. Must be between 0 and 32.
+    hash_length: 32
+
+# Settings for converting remote media to custom mxc:// URIs instead of reuploading.
+# More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
+direct_media:
+    # Should custom mxc:// URIs be used instead of reuploading media?
+    enabled: false
+    # The server name to use for the custom mxc:// URIs.
+    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+    server_name: media.example.com
+    # Optionally a custom .well-known response. This defaults to `server_name:443`
+    well_known_response:
+    # Optionally specify a custom prefix for the media ID part of the MXC URI.
+    media_id_prefix:
+    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
+    # media download redirects if the requester supports it. Optionally, you can force redirects
+    # and not allow proxying at all by setting this to false.
+    # This option does nothing if the remote network does not support media downloads over HTTP.
+    allow_proxy: true
+    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+    server_key: ""
+
+# Settings for backfilling messages.
+# Note that the exact way settings are applied depends on the network connector.
+# See https://docs.mau.fi/bridges/general/backfill.html for more details.
+backfill:
+    # Whether to do backfilling at all.
+    enabled: false
+    # Maximum number of messages to backfill in empty rooms.
+    max_initial_messages: 50
+    # Maximum number of missed messages to backfill after bridge restarts.
+    max_catchup_messages: 500
+    # If a backfilled chat is older than this number of hours,
+    # mark it as read even if it's unread on the remote network.
+    unread_hours_threshold: 720
+    # Settings for backfilling threads within other backfills.
+    threads:
+        # Maximum number of messages to backfill in a new thread.
+        max_initial_messages: 50
+    # Settings for the backwards backfill queue. This only applies when connecting to
+    # Beeper as standard Matrix servers don't support inserting messages into history.
+    queue:
+        # Should the backfill queue be enabled?
+        enabled: false
+        # Number of messages to backfill in one batch.
+        batch_size: 100
+        # Delay between batches in seconds.
+        batch_delay: 20
+        # Maximum number of batches to backfill per portal.
+        # If set to -1, all available messages will be backfilled.
+        max_batches: -1
+        # Optional network-specific overrides for max batches.
+        # Interpretation of this field depends on the network connector.
+        max_batches_override: {}
+
+# Settings for enabling double puppeting
+double_puppet:
+    # Servers to always allow double puppeting from.
+    # This is only for other servers and should NOT contain the server the bridge is on.
+    servers: {}
+    # Whether to allow client API URL discovery for other servers. When using this option,
+    # users on other servers can use double puppeting even if their server URLs aren't
+    # explicitly added to the servers map above.
+    allow_discovery: false
+    # Shared secrets for automatic double puppeting.
+    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
+    secrets: {{ matrix_mautrix_signal_double_puppet_secrets | to_json }}
+
+# End-to-bridge encryption support options.
+#
+# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+encryption:
+    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
+    allow: {{ matrix_mautrix_signal_bridge_encryption_allow | to_json }}
+    # Whether to force-enable encryption in all bridged rooms.
+    default: {{ matrix_mautrix_signal_bridge_encryption_default | to_json }}
+    # Whether to require all messages to be encrypted and drop any unencrypted messages.
+    require: false
+    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
+    appservice: false
+    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+    # You must use a client that supports requesting keys from other users to use this feature.
+    allow_key_sharing: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow | to_json }}
+    # Pickle key for encrypting encryption keys in the bridge database.
+    # If set to generate, a random key will be generated.
+    pickle_key: mautrix.bridge.e2ee
+    # Options for deleting megolm sessions from the bridge.
+    delete_keys:
+        # Beeper-specific: delete outbound sessions when hungryserv confirms
+        # that the user has uploaded the key to key backup.
+        delete_outbound_on_ack: false
+        # Don't store outbound sessions in the inbound table.
+        dont_store_outbound: false
+        # Ratchet megolm sessions forward after decrypting messages.
+        ratchet_on_decrypt: false
+        # Delete fully used keys (index >= max_messages) after decrypting messages.
+        delete_fully_used_on_decrypt: false
+        # Delete previous megolm sessions from same device when receiving a new one.
+        delete_prev_on_new_session: false
+        # Delete megolm sessions received from a device when the device is deleted.
+        delete_on_device_delete: false
+        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+        periodically_delete_expired: false
+        # Delete inbound megolm sessions that don't have the received_at field used for
+        # automatic ratcheting and expired session deletion. This is meant as a migration
+        # to delete old keys prior to the bridge update.
+        delete_outdated_inbound: false
+    # What level of device verification should be required from users?
     #
-    # If set, double puppeting will be enabled automatically for local users
-    # instead of users having to find an access token and run `login-matrix`
-    # manually.
-    login_shared_secret_map: {{ matrix_mautrix_signal_bridge_login_shared_secret_map|to_json }}
-
-    # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
-    # Null means there's no enforced timeout.
-    message_handling_timeout:
-        # Send an error message after this timeout, but keep waiting for the response until the deadline.
-        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
-        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
-        error_after: null
-        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
-        # This is counted from the time the bridge starts handling the message.
-        deadline: 120s
-
-    # The prefix for commands. Only required in non-management rooms.
-    command_prefix: "{{ matrix_mautrix_signal_command_prefix }}"
-    # Messages sent upon joining a management room.
-    # Markdown is supported. The defaults are listed below.
-    management_room_text:
-        # Sent when joining a room.
-        welcome: "Hello, I'm a Signal bridge bot."
-        # Sent when joining a management room and the user is already logged in.
-        welcome_connected: "Use `help` for help."
-        # Sent when joining a management room and the user is not logged in.
-        welcome_unconnected: "Use `help` for help or `login` to log in."
-        # Optional extra text sent when joining a management room.
-        additional_help: ""
-
-    # End-to-bridge encryption support options.
-    #
-    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
-    encryption:
-        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: {{ matrix_mautrix_signal_bridge_encryption_allow|to_json }}
-        # Default to encryption, force-enable encryption in all portals the bridge creates
-        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: {{ matrix_mautrix_signal_bridge_encryption_default|to_json }}
-        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
-        appservice: false
-        # Require encryption, drop any unencrypted messages.
-        require: false
-        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
-        # You must use a client that supports requesting keys from other users to use this feature.
-        allow_key_sharing: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow|to_json }}
-        # Options for deleting megolm sessions from the bridge.
-        delete_keys:
-            # Beeper-specific: delete outbound sessions when hungryserv confirms
-            # that the user has uploaded the key to key backup.
-            delete_outbound_on_ack: false
-            # Don't store outbound sessions in the inbound table.
-            dont_store_outbound: false
-            # Ratchet megolm sessions forward after decrypting messages.
-            ratchet_on_decrypt: false
-            # Delete fully used keys (index >= max_messages) after decrypting messages.
-            delete_fully_used_on_decrypt: false
-            # Delete previous megolm sessions from same device when receiving a new one.
-            delete_prev_on_new_session: false
-            # Delete megolm sessions received from a device when the device is deleted.
-            delete_on_device_delete: false
-            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
-            periodically_delete_expired: false
-            # Delete inbound megolm sessions that don't have the received_at field used for
-            # automatic ratcheting and expired session deletion. This is meant as a migration
-            # to delete old keys prior to the bridge update.
-            delete_outdated_inbound: false
-        # What level of device verification should be required from users?
-        #
-        # Valid levels:
-        #   unverified - Send keys to all device in the room.
-        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-        #                           Note that creating user signatures from the bridge bot is not currently possible.
-        #   verified - Require manual per-device verification
-        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-        verification_levels:
-            # Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
-            receive: unverified
-            # Minimum level that the bridge should accept for incoming Matrix messages.
-            send: unverified
-            # Minimum level that the bridge should require for accepting key requests.
-            share: cross-signed-tofu
-        # Options for Megolm room key rotation. These options allow you to
-        # configure the m.room.encryption event content. See:
-        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
-        # more information about that event.
-        rotation:
-            # Enable custom Megolm room key rotation settings. Note that these
-            # settings will only apply to rooms created after this option is
-            # set.
-            enable_custom: false
-            # The maximum number of milliseconds a session should be used
-            # before changing it. The Matrix spec recommends 604800000 (a week)
-            # as the default.
-            milliseconds: 604800000
-            # The maximum number of messages that should be sent with a given a
-            # session before changing it. The Matrix spec recommends 100 as the
-            # default.
-            messages: 100
-
-            # Disable rotating keys when a user's devices change?
-            # You should not enable this option unless you understand all the implications.
-            disable_device_change_key_rotation: false
-
-    # Settings for provisioning API
-    provisioning:
-        # Prefix for the provisioning API paths.
-        prefix: /_matrix/provision
-        # Shared secret for authentication. If set to "generate", a random secret will be generated,
-        # or if set to "disable", the provisioning API will be disabled.
-        shared_secret: generate
-        # Enable debug API at /debug with provisioning authentication.
-        debug_endpoints: false
-
-    # Permissions for using the bridge.
-    # Permitted values:
-    #    relay - Talk through the relaybot (if enabled), no access otherwise
-    #     user - Access to use the bridge to chat with a Signal account.
-    #    admin - User level and some additional administration tools
-    # Permitted keys:
-    #        * - All Matrix users
-    #   domain - All users on that homeserver
-    #     mxid - Specific user
-    permissions: {{ matrix_mautrix_signal_bridge_permissions|to_json }}
-
-    # Settings for relay mode
-    relay:
-        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
-        # authenticated user into a relaybot for that chat.
-        enabled: {{ matrix_mautrix_signal_bridge_relay_enabled | to_json }}
-        # Should only admins be allowed to set themselves as relay users?
-        admin_only: {{ matrix_mautrix_signal_bridge_relay_admin_only | to_json }}
-        # The formats to use when sending messages to WhatsApp via the relaybot.
-        message_formats:
-            m.text: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
-            m.notice: "<b>{{ '{{ .Sender.Displayname }}' }}</b>:: {{ '{{ .Message }}' }}"
-            m.emote: "* <b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
-            m.file: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a file"
-            m.image: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an image"
-            m.audio: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an audio file"
-            m.video: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a video"
-            m.location: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a location"
+    # Valid levels:
+    #   unverified - Send keys to all device in the room.
+    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+    #                           Note that creating user signatures from the bridge bot is not currently possible.
+    #   verified - Require manual per-device verification
+    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+    verification_levels:
+        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
+        receive: unverified
+        # Minimum level that the bridge should accept for incoming Matrix messages.
+        send: unverified
+        # Minimum level that the bridge should require for accepting key requests.
+        share: cross-signed-tofu
+    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
+    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
+    rotation:
+        # Enable custom Megolm room key rotation settings. Note that these
+        # settings will only apply to rooms created after this option is set.
+        enable_custom: false
+        # The maximum number of milliseconds a session should be used
+        # before changing it. The Matrix spec recommends 604800000 (a week)
+        # as the default.
+        milliseconds: 604800000
+        # The maximum number of messages that should be sent with a given a
+        # session before changing it. The Matrix spec recommends 100 as the
+        # default.
+        messages: 100
+        # Disable rotating keys when a user's devices change?
+        # You should not enable this option unless you understand all the implications.
+        disable_device_change_key_rotation: false
 
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
-    directory: ./logs
-    file_name_format: ''
-    file_date_format: "2006-01-02"
-    file_mode: 384
-    timestamp_format: Jan _2, 2006 15:04:05
-    print_level: {{ matrix_mautrix_signal_logging_level | to_json }}
-    print_json: false
-    file_json: false
+    min_level: {{ matrix_mautrix_signal_logging_level | to_json }}
+    writers:
+        - type: stdout
+          format: pretty-colored

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: latest
+matrix_mautrix_slack_version: v0.1.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_name_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else 'dock.mau.dev/' }}"
@@ -94,14 +94,9 @@ matrix_mautrix_slack_appservice_database_uri: "{{
 	}[matrix_mautrix_slack_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_slack_login_shared_secret: ''
-matrix_mautrix_slack_bridge_login_shared_secret_map:
-  "{{ {matrix_mautrix_slack_homeserver_domain: matrix_mautrix_slack_login_shared_secret} if matrix_mautrix_slack_login_shared_secret else {} }}"
-
-# Servers to always allow double puppeting from
-matrix_mautrix_slack_bridge_double_puppet_server_map:
-  "{{ matrix_mautrix_slack_homeserver_domain :  matrix_mautrix_slack_homeserver_address }}"
+matrix_mautrix_slack_double_puppet_secrets: "{{ matrix_mautrix_slack_double_puppet_secrets_auto | combine(matrix_mautrix_slack_double_puppet_secrets_custom) }}"
+matrix_mautrix_slack_double_puppet_secrets_auto: {}
+matrix_mautrix_slack_double_puppet_secrets_custom: {}
 
 # Default mautrix-slack configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
@@ -127,9 +122,9 @@ matrix_mautrix_slack_configuration: "{{ matrix_mautrix_slack_configuration_yaml
 
 matrix_mautrix_slack_registration_yaml: |
   id: slack
-  url: {{ matrix_mautrix_slack_appservice_address }}
-  as_token: "{{ matrix_mautrix_slack_appservice_token }}"
-  hs_token: "{{ matrix_mautrix_slack_homeserver_token }}"
+  url: {{ matrix_mautrix_slack_appservice_address | to_json }}
+  as_token: {{ matrix_mautrix_slack_appservice_token | to_json }}
+  hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }}
   # See https://github.com/mautrix/signal/issues/43
   sender_localpart: _bot_{{ matrix_mautrix_slack_appservice_bot_username }}
   rate_limited: false
@@ -147,3 +142,6 @@ matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml |
 matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
 matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"
+
+matrix_mautrix_slack_provisioning_shared_secret: ''
+matrix_mautrix_slack_public_media_signing_key: ''

roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml

@@ -20,3 +20,14 @@
       To resolve the conflict, make one of these components use a different username.
       Consider either changing `matrix_mautrix_slack_appservice_bot_username` (the bot username for the mautrix-slack component) or `matrix_appservice_slack_bot_name` (the bot username for the appservice-slack component).
       We recommend that you change the username for the newly-added (and yet unused) component.
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_slack_login_shared_secret', 'new': '<removed>'}
+    - {'old': 'matrix_mautrix_slack_bridge_login_shared_secret_map', 'new': '<superseded by matrix_mautrix_slack_double_puppet_secrets>'}
+    - {'old': 'matrix_mautrix_slack_bridge_double_puppet_server_map', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2

@@ -1,240 +1,443 @@
 #jinja2: lstrip_blocks: "True"
+# Network-specific config options
+network:
+    # Displayname template for Slack users. Available variables:
+    #  .Name - The username of the user
+    #  .Team.Name - The name of the team the channel is in
+    #  .Team.Domain - The Slack subdomain of the team the channel is in
+    #  .ID - The internal ID of the user
+    #  .IsBot - Whether the user is a bot
+    #  .Profile.DisplayName - The username or real name of the user (depending on settings)
+    # Variables only available for users (not bots):
+    #  .TeamID - The internal ID of the workspace the user is in
+    #  .TZ - The timezone region of the user (e.g. Europe/London)
+    #  .TZLabel - The label of the timezone of the user (e.g. Greenwich Mean Time)
+    #  .TZOffset - The UTC offset of the timezone of the user (e.g. 0)
+    #  .Profile.RealName - The real name of the user
+    #  .Profile.FirstName - The first name of the user
+    #  .Profile.LastName - The last name of the user
+    #  .Profile.Title - The job title of the user
+    #  .Profile.Pronouns - The pronouns of the user
+    #  .Profile.Email - The email address of the user
+    #  .Profile.Phone - The formatted phone number of the user
+    displayname_template: '{% raw %}{{or .Profile.DisplayName .Profile.RealName .Name}}{{if .IsBot}} (bot){{end}}{% endraw% %}'
+    # Channel name template for Slack channels (all types). Available variables:
+    #  .Name - The name of the channel
+    #  .Team.Name - The name of the team the channel is in
+    #  .Team.Domain - The Slack subdomain of the team the channel is in
+    #  .ID - The internal ID of the channel
+    #  .IsNoteToSelf - Whether the channel is a DM with yourself
+    #  .IsGeneral - Whether the channel is the #general channel
+    #  .IsChannel - Whether the channel is a channel (rather than a DM)
+    #  .IsPrivate - Whether the channel is private
+    #  .IsIM - Whether the channel is a one-to-one DM
+    #  .IsMpIM - Whether the channel is a group DM
+    #  .IsShared - Whether the channel is shared with another workspace.
+    #  .IsExtShared - Whether the channel is shared with an external organization.
+    #  .IsOrgShared - Whether the channel is shared with an organization in the same enterprise grid.
+    channel_name_template: '{% raw %}{{if and .IsChannel (not .IsPrivate)}}#{{end}}{{.Name}}{{if .IsNoteToSelf}} (you){{end}}{% endraw %}'
+    # Displayname template for Slack workspaces. Available variables:
+    #  .Name - The name of the team
+    #  .Domain - The Slack subdomain of the team
+    #  .ID - The internal ID of the team
+    team_name_template: "{% raw %}{{ .Name }}{% endraw %}"
+
+    # Should incoming custom emoji reactions be bridged as mxc:// URIs?
+    # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
+    custom_emoji_reactions: true
+    # Should channels and group DMs have the workspace icon as the Matrix room avatar?
+    workspace_avatar_in_rooms: false
+    # Number of participants to sync in channels (doesn't affect group DMs)
+    participant_sync_count: 5
+    # Should channel participants only be synced when creating the room?
+    # If you want participants to always be accurately synced, set participant_sync_count to a high value and this to false.
+    participant_sync_only_on_create: true
+    # Should channel portals be muted by default?
+    mute_channels_by_default: false
+
+    # Options for backfilling messages from Slack.
+    backfill:
+        # Number of conversations to fetch from Slack when syncing workspace.
+        # This option applies even if message backfill is disabled below.
+        # If set to -1, all chats in the client.boot response will be bridged, and nothing will be fetched separately.
+        conversation_count: -1
+
+
+# Config options that affect the central bridge module.
+bridge:
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: {{ matrix_mautrix_slack_command_prefix | to_json }}
+    # Should the bridge create a space for each login containing the rooms that account is in?
+    personal_filtering_spaces: true
+    # Whether the bridge should set names and avatars explicitly for DM portals.
+    # This is only necessary when using clients that don't support MSC4171.
+    private_chat_portal_meta: false
+
+    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
+    bridge_matrix_leave: false
+    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
+    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
+    tag_only_on_create: true
+    # Should room mute status only be synced when creating the portal?
+    # Like tags, mutes can't currently be synced back to the remote network.
+    mute_only_on_create: true
+
+    # What should be done to portal rooms when a user logs out or is logged out?
+    # Permitted values:
+    #   nothing - Do nothing, let the user stay in the portals
+    #   kick - Remove the user from the portal rooms, but don't delete them
+    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
+    #   delete - Remove all ghosts and users from the room (i.e. delete it)
+    cleanup_on_logout:
+        # Should cleanup on logout be enabled at all?
+        enabled: false
+        # Settings for manual logouts (explicitly initiated by the Matrix user)
+        manual:
+            # Action for private portals which will never be shared with other Matrix users.
+            private: nothing
+            # Action for portals with a relay user configured.
+            relayed: nothing
+            # Action for portals which may be shared, but don't currently have any other Matrix users.
+            shared_no_users: nothing
+            # Action for portals which have other logged-in Matrix users.
+            shared_has_users: nothing
+        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
+        # Keys have the same meanings as in the manual section.
+        bad_credentials:
+            private: nothing
+            relayed: nothing
+            shared_no_users: nothing
+            shared_has_users: nothing
+
+    # Settings for relay mode
+    relay:
+        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
+        # authenticated user into a relaybot for that chat.
+        enabled: false
+        # Should only admins be allowed to set themselves as relay users?
+        # If true, non-admins can only set users listed in default_relays as relays in a room.
+        admin_only: true
+        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
+        default_relays: []
+        # The formats to use when sending messages via the relaybot.
+        # Available variables:
+        #   .Sender.UserID - The Matrix user ID of the sender.
+        #   .Sender.Displayname - The display name of the sender (if set).
+        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
+        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
+        #                               plus the user ID in parentheses if the displayname is not unique.
+        #                               If the displayname is not set, this is just the user ID.
+        #   .Message - The `formatted_body` field of the message.
+        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
+        #   .FileName - The name of the file being sent.
+        message_formats:
+            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
+            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
+            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
+        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
+        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
+        # Note that you need to manually remove the displayname from message_formats above.
+        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
+    # commands - Access to use commands in the bridge, but not login.
+    #     user - Access to use the bridge with puppeting.
+    #    admin - Full access, user level with some additional administration tools.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions: {{ matrix_mautrix_slack_bridge_permissions | to_json }}
+
+# Config for the bridge's database.
+database:
+    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+    type: {{ matrix_mautrix_slack_appservice_database_type | to_json }}
+    # The database URI.
+    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+    #           https://github.com/mattn/go-sqlite3#connection-string
+    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+    uri: {{ matrix_mautrix_slack_appservice_database_uri | to_json }}
+    # Maximum number of connections.
+    max_open_conns: 5
+    max_idle_conns: 1
+    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+    # Parsed with https://pkg.go.dev/time#ParseDuration
+    max_conn_idle_time: null
+    max_conn_lifetime: null
+
 # Homeserver details.
 homeserver:
     # The address that this appservice can use to connect to the homeserver.
+    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
+    # but https also works if they run on different machines.
     address: {{ matrix_mautrix_slack_homeserver_address | to_json }}
-    # The domain of the homeserver (for MXIDs, etc).
+    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
     domain: {{ matrix_mautrix_slack_homeserver_domain | to_json }}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
     software: standard
     # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
     # The bridge will use the appservice as_token to authorize requests.
-    status_endpoint: null
+    status_endpoint:
     # Endpoint for reporting per-message status.
-    message_send_checkpoint_endpoint: null
+    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
+    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
+    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
+    # The bridge will use the appservice as_token to authorize requests.
+    message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
     async_media: false
 
+    # Should the bridge use a websocket for connecting to the homeserver?
+    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+    # mautrix-asmux (deprecated), and hungryserv (proprietary).
+    websocket: false
+    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+    ping_interval_seconds: 0
+
 # Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
+# Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
     # The address that the homeserver can use to connect to this appservice.
     address: {{ matrix_mautrix_slack_appservice_address | to_json }}
+    # A public address that external services can use to reach this appservice.
+    # This value doesn't affect the registration file.
+    public_address: https://bridge.example.com
 
     # The hostname and port where this appservice should listen.
+    # For Docker, you generally have to change the hostname to 0.0.0.0.
     hostname: 0.0.0.0
     port: 8080
 
-    # Database config.
-    database:
-        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
-        type: {{ matrix_mautrix_slack_appservice_database_type|to_json }}
-        # The database URI.
-        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
-        #           https://github.com/mattn/go-sqlite3#connection-string
-        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
-        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: {{ matrix_mautrix_slack_appservice_database_uri|to_json }}
-        # Maximum number of connections. Mostly relevant for Postgres.
-        max_open_conns: 20
-        max_idle_conns: 2
-        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
-        # Parsed with https://pkg.go.dev/time#ParseDuration
-        max_conn_idle_time: null
-        max_conn_lifetime: null
-
     # The unique ID of this appservice.
     id: slack
     # Appservice bot details.
     bot:
         # Username of the appservice bot.
-        username: {{ matrix_mautrix_slack_appservice_bot_username|to_json }}
+        username: {{ matrix_mautrix_slack_appservice_bot_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
         displayname: Slack bridge bot
         avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem
-    # Whether or not to receive ephemeral events via appservice transactions.
-    # Requires MSC2409 support (i.e. Synapse 1.22+).
-    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
-    ephemeral_events: true
 
+    # Whether to receive ephemeral events via appservice transactions.
+    ephemeral_events: true
     # Should incoming events be handled asynchronously?
     # This may be necessary for large public instances with lots of messages going through.
     # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+    # This value doesn't affect the registration file.
     async_transactions: false
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: {{ matrix_mautrix_slack_appservice_token | to_json }}
     hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }}
 
-# Bridge config
-bridge:
-    # Localpart template of MXIDs for Slack users.
-    # {{ '{{.}}' }} is replaced with the internal ID of the Slack user.
-    username_template: "{{ 'slack_{{.}}' }}"
-    # Displayname template for Slack users.
-    # TODO: document variables
-    displayname_template: "{{ '{{.RealName}} (S)' }}"
-    bot_displayname_template: "{{ '{{.Name}} (bot)' }}"
-    channel_name_template: "{{ '#{{.Name}} ({{.TeamName}})' }}"
+    # Localpart template of MXIDs for remote users.
+    # {% raw %}
+    # {{.}} is replaced with the internal ID of the user.
+    # {% endraw %}
+    username_template: "{% raw %}slack_{{.}}{% endraw %}"
 
-    portal_message_buffer: 128
-
-    # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack?
-    delivery_receipts: true
+# Config options that affect the Matrix connector of the bridge.
+matrix:
     # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
     message_status_events: false
+    # Whether the bridge should send a read receipt after successfully bridging a message.
+    delivery_receipts: false
     # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
     message_error_notices: true
-
-    # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
-    sync_with_custom_puppets: false
-    # Should the bridge update the m.direct account data event when double puppeting is enabled.
-    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
-    # and is therefore prone to race conditions.
+    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
     sync_direct_chat_list: false
+    # Whether created rooms should have federation enabled. If false, created portal rooms
+    # will never be federated. Changing this option requires recreating rooms.
+    federate_rooms: true
 
-    # Servers to always allow double puppeting from
-    double_puppet_server_map:
-        "{{ matrix_mautrix_slack_homeserver_domain }}": {{ matrix_mautrix_slack_homeserver_address }}
-    # Allow using double puppeting from any server with a valid client .well-known file.
-    double_puppet_allow_discovery: false
-    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+# Settings for provisioning API
+provisioning:
+    # Prefix for the provisioning API paths.
+    prefix: /_matrix/provision
+    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
+    # or if set to "disable", the provisioning API will be disabled.
+    shared_secret: {{ matrix_mautrix_slack_provisioning_shared_secret | to_json }}
+    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
+    # This follows the same rules as double puppeting to determine which server to contact to check the token,
+    # which means that by default, it only works for users on the same server as the bridge.
+    allow_matrix_auth: true
+    # Enable debug API at /debug with provisioning authentication.
+    debug_endpoints: false
+
+# Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
+# These settings control whether the bridge will provide such public media access.
+public_media:
+    # Should public media be enabled at all?
+    # The public_address field under the appservice section MUST be set when enabling public media.
+    enabled: false
+    # A key for signing public media URLs.
+    # If set to "generate", a random key will be generated.
+    signing_key: {{ matrix_mautrix_slack_public_media_signing_key | to_json }}
+    # Number of seconds that public media URLs are valid for.
+    # If set to 0, URLs will never expire.
+    expiry: 0
+    # Length of hash to use for public media URLs. Must be between 0 and 32.
+    hash_length: 32
+
+# Settings for converting remote media to custom mxc:// URIs instead of reuploading.
+# More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
+direct_media:
+    # Should custom mxc:// URIs be used instead of reuploading media?
+    enabled: false
+    # The server name to use for the custom mxc:// URIs.
+    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+    server_name: media.example.com
+    # Optionally a custom .well-known response. This defaults to `server_name:443`
+    well_known_response:
+    # Optionally specify a custom prefix for the media ID part of the MXC URI.
+    media_id_prefix:
+    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
+    # media download redirects if the requester supports it. Optionally, you can force redirects
+    # and not allow proxying at all by setting this to false.
+    # This option does nothing if the remote network does not support media downloads over HTTP.
+    allow_proxy: true
+    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+    server_key: ""
+
+# Settings for backfilling messages.
+# Note that the exact way settings are applied depends on the network connector.
+# See https://docs.mau.fi/bridges/general/backfill.html for more details.
+backfill:
+    # Whether to do backfilling at all.
+    enabled: false
+    # Maximum number of messages to backfill in empty rooms.
+    max_initial_messages: 50
+    # Maximum number of missed messages to backfill after bridge restarts.
+    max_catchup_messages: 500
+    # If a backfilled chat is older than this number of hours,
+    # mark it as read even if it's unread on the remote network.
+    unread_hours_threshold: 720
+    # Settings for backfilling threads within other backfills.
+    threads:
+        # Maximum number of messages to backfill in a new thread.
+        max_initial_messages: 50
+    # Settings for the backwards backfill queue. This only applies when connecting to
+    # Beeper as standard Matrix servers don't support inserting messages into history.
+    queue:
+        # Should the backfill queue be enabled?
+        enabled: false
+        # Number of messages to backfill in one batch.
+        batch_size: 100
+        # Delay between batches in seconds.
+        batch_delay: 20
+        # Maximum number of batches to backfill per portal.
+        # If set to -1, all available messages will be backfilled.
+        max_batches: -1
+        # Optional network-specific overrides for max batches.
+        # Interpretation of this field depends on the network connector.
+        max_batches_override: {}
+
+# Settings for enabling double puppeting
+double_puppet:
+    # Servers to always allow double puppeting from.
+    # This is only for other servers and should NOT contain the server the bridge is on.
+    servers: {}
+    # Whether to allow client API URL discovery for other servers. When using this option,
+    # users on other servers can use double puppeting even if their server URLs aren't
+    # explicitly added to the servers map above.
+    allow_discovery: false
+    # Shared secrets for automatic double puppeting.
+    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
+    secrets: {{ matrix_mautrix_slack_double_puppet_secrets | to_json }}
+
+# End-to-bridge encryption support options.
+#
+# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+encryption:
+    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
+    allow: {{ matrix_mautrix_slack_bridge_encryption_allow | to_json }}
+    # Whether to force-enable encryption in all bridged rooms.
+    default: {{ matrix_mautrix_slack_bridge_encryption_default | to_json }}
+    # Whether to require all messages to be encrypted and drop any unencrypted messages.
+    require: false
+    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
+    appservice: false
+    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+    # You must use a client that supports requesting keys from other users to use this feature.
+    allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow | to_json }}
+    # Pickle key for encrypting encryption keys in the bridge database.
+    # If set to generate, a random key will be generated.
+    pickle_key: generate
+    # Options for deleting megolm sessions from the bridge.
+    delete_keys:
+        # Beeper-specific: delete outbound sessions when hungryserv confirms
+        # that the user has uploaded the key to key backup.
+        delete_outbound_on_ack: false
+        # Don't store outbound sessions in the inbound table.
+        dont_store_outbound: false
+        # Ratchet megolm sessions forward after decrypting messages.
+        ratchet_on_decrypt: false
+        # Delete fully used keys (index >= max_messages) after decrypting messages.
+        delete_fully_used_on_decrypt: false
+        # Delete previous megolm sessions from same device when receiving a new one.
+        delete_prev_on_new_session: false
+        # Delete megolm sessions received from a device when the device is deleted.
+        delete_on_device_delete: false
+        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+        periodically_delete_expired: false
+        # Delete inbound megolm sessions that don't have the received_at field used for
+        # automatic ratcheting and expired session deletion. This is meant as a migration
+        # to delete old keys prior to the bridge update.
+        delete_outdated_inbound: false
+    # What level of device verification should be required from users?
     #
-    # If set, double puppeting will be enabled automatically for local users
-    # instead of users having to find an access token and run `login-matrix`
-    # manually.
-    login_shared_secret_map: {{ matrix_mautrix_slack_bridge_login_shared_secret_map|to_json }}
-
-    message_handling_timeout:
-        # Send an error message after this timeout, but keep waiting for the response until the deadline.
-        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
-        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
-        error_after: 10s
-        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
-        # This is counted from the time the bridge starts handling the message.
-        deadline: 60s
-
-    # The prefix for commands. Only required in non-management rooms.
-    command_prefix: "{{ matrix_mautrix_slack_command_prefix }}"
-    # Messages sent upon joining a management room.
-    # Markdown is supported. The defaults are listed below.
-    management_room_text:
-        # Sent when joining a room.
-        welcome: "Hello, I'm a Slack bridge bot."
-        # Sent when joining a management room and the user is already logged in.
-        welcome_connected: "Use `help` for help."
-        # Sent when joining a management room and the user is not logged in.
-        welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in."
-        # Optional extra text sent when joining a management room.
-        additional_help: ""
-
-    backfill:
-        # Allow backfilling at all? Requires MSC2716 support on homeserver.
-        enable: false
-
-        # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack.
-        # Set to -1 to let any chat be unread.
-        unread_hours_threshold: 720
-
-        # Number of messages to immediately backfill when creating a portal.
-        immediate_messages: 10
-
-        # Settings for incremental backfill of history.
-        incremental:
-            # Maximum number of messages to backfill per batch.
-            messages_per_batch: 100
-            # The number of seconds to wait after backfilling the batch of messages.
-            post_batch_delay: 20
-            # The maximum number of messages to backfill per portal, split by the chat type.
-            # If set to -1, all messages in the chat will eventually be backfilled.
-            max_messages:
-                # Channels
-                channel: -1
-                # Group direct messages
-                group_dm: -1
-                # 1:1 direct messages
-                dm: -1
-
-    # End-to-bridge encryption support options.
-    #
-    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
-    encryption:
-        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: {{ matrix_mautrix_slack_bridge_encryption_allow|to_json }}
-        # Default to encryption, force-enable encryption in all portals the bridge creates
-        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: {{ matrix_mautrix_slack_bridge_encryption_default|to_json }}
-        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
-        appservice: false
-        # Require encryption, drop any unencrypted messages.
-        require: false
-        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
-        # You must use a client that supports requesting keys from other users to use this feature.
-        allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow|to_json }}
-        # What level of device verification should be required from users?
-        #
-        # Valid levels:
-        #   unverified - Send keys to all device in the room.
-        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-        #                           Note that creating user signatures from the bridge bot is not currently possible.
-        #   verified - Require manual per-device verification
-        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-        verification_levels:
-            # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
-            receive: unverified
-            # Minimum level that the bridge should accept for incoming Matrix messages.
-            send: unverified
-            # Minimum level that the bridge should require for accepting key requests.
-            share: cross-signed-tofu
-        # Options for Megolm room key rotation. These options allow you to
-        # configure the m.room.encryption event content. See:
-        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
-        # more information about that event.
-        rotation:
-            # Enable custom Megolm room key rotation settings. Note that these
-            # settings will only apply to rooms created after this option is
-            # set.
-            enable_custom: false
-            # The maximum number of milliseconds a session should be used
-            # before changing it. The Matrix spec recommends 604800000 (a week)
-            # as the default.
-            milliseconds: 604800000
-            # The maximum number of messages that should be sent with a given a
-            # session before changing it. The Matrix spec recommends 100 as the
-            # default.
-            messages: 100
-
-    # Settings for provisioning API
-    provisioning:
-        # Prefix for the provisioning API paths.
-        prefix: /_matrix/provision
-        # Shared secret for authentication. If set to "generate", a random secret will be generated,
-        # or if set to "disable", the provisioning API will be disabled.
-        shared_secret: generate
-
-    # Permissions for using the bridge.
-    # Permitted values:
-    #    relay - Talk through the relaybot (if enabled), no access otherwise
-    #     user - Access to use the bridge to chat with a Slack account.
-    #    admin - User level and some additional administration tools
-    # Permitted keys:
-    #        * - All Matrix users
-    #   domain - All users on that homeserver
-    #     mxid - Specific user
-    permissions: {{ matrix_mautrix_slack_bridge_permissions|to_json }}
+    # Valid levels:
+    #   unverified - Send keys to all device in the room.
+    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+    #                           Note that creating user signatures from the bridge bot is not currently possible.
+    #   verified - Require manual per-device verification
+    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+    verification_levels:
+        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
+        receive: unverified
+        # Minimum level that the bridge should accept for incoming Matrix messages.
+        send: unverified
+        # Minimum level that the bridge should require for accepting key requests.
+        share: cross-signed-tofu
+    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
+    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
+    rotation:
+        # Enable custom Megolm room key rotation settings. Note that these
+        # settings will only apply to rooms created after this option is set.
+        enable_custom: false
+        # The maximum number of milliseconds a session should be used
+        # before changing it. The Matrix spec recommends 604800000 (a week)
+        # as the default.
+        milliseconds: 604800000
+        # The maximum number of messages that should be sent with a given a
+        # session before changing it. The Matrix spec recommends 100 as the
+        # default.
+        messages: 100
+        # Disable rotating keys when a user's devices change?
+        # You should not enable this option unless you understand all the implications.
+        disable_device_change_key_rotation: false
 
+# Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
-    directory: ./logs
-    file_name_format: ''
-    file_date_format: "2006-01-02"
-    file_mode: 384
-    timestamp_format: Jan _2, 2006 15:04:05
-    print_level: {{ matrix_mautrix_slack_logging_level | to_json }}
-    print_json: false
-    file_json: false
+    min_level: {{ matrix_mautrix_slack_logging_level | to_json }}
+    writers:
+        - type: stdout
+          format: pretty-colored

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -178,11 +178,9 @@ matrix_mautrix_telegram_appservice_database: "{{
 	}[matrix_mautrix_telegram_database_engine]
 }}"
 
-
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_telegram_login_shared_secret: ''
-matrix_mautrix_telegram_bridge_login_shared_secret_map:
-   "{{ {matrix_mautrix_telegram_homeserver_domain: matrix_mautrix_telegram_login_shared_secret} if matrix_mautrix_telegram_login_shared_secret else {}  }}"
+matrix_mautrix_telegram_bridge_login_shared_secret_map: "{{ matrix_mautrix_telegram_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_telegram_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_telegram_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_telegram_bridge_login_shared_secret_map_custom: {}
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.

roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml

@@ -30,3 +30,4 @@
     - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'}
     - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'}
     - {'old': 'matrix_telegram_lottieconverter_container_self_build_mask_arch', 'new': 'matrix_telegram_lottieconverter_container_image_self_build_mask_arch'}
+    - {'old': 'matrix_mautrix_telegram_login_shared_secret', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -106,11 +106,9 @@ matrix_mautrix_twitter_appservice_database: "{{
 	}[matrix_mautrix_twitter_database_engine]
 }}"
 
-
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_twitter_login_shared_secret: ''
-
-matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitter_homeserver_domain: matrix_mautrix_twitter_login_shared_secret} if matrix_mautrix_twitter_login_shared_secret else {} }}"
+matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ matrix_mautrix_twitter_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_twitter_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_twitter_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_twitter_bridge_login_shared_secret_map_custom: {}
 
 matrix_mautrix_twitter_appservice_bot_username: twitterbot
 

roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml

@@ -13,3 +13,12 @@
     - {'name': 'matrix_mautrix_twitter_container_network', when: true}
     - {'name': 'matrix_mautrix_twitter_metrics_proxying_hostname', when: "{{ matrix_mautrix_twitter_metrics_proxying_enabled }}"}
     - {'name': 'matrix_mautrix_twitter_metrics_proxying_path_prefix', when: "{{ matrix_mautrix_twitter_metrics_proxying_enabled }}"}
+
+- name: (Deprecation) Catch and report renamed mautrix-twitter variables
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_twitter_login_shared_secret', 'new': '<removed>'}

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -134,10 +134,9 @@ matrix_mautrix_whatsapp_appservice_database_uri: "{{
 	}[matrix_mautrix_whatsapp_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_whatsapp_login_shared_secret: ''
-matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
-  "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}"
+matrix_mautrix_whatsapp_bridge_login_shared_secret_map: "{{ matrix_mautrix_whatsapp_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_whatsapp_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_whatsapp_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_whatsapp_bridge_login_shared_secret_map_custom: {}
 
 # Enable End-to-bridge encryption
 matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"

roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml

@@ -19,3 +19,4 @@
   when: "item.old in vars"
   with_items:
     - {'old': 'matrix_mautrix_whatsapp_log_level', 'new': 'matrix_mautrix_whatsapp_logging_level'}
+    - {'old': 'matrix_mautrix_whatsapp_login_shared_secret', 'new': '<removed>'}

setup.yml

@@ -51,6 +51,7 @@
     - galaxy/keydb
     - custom/matrix-corporal
     - custom/matrix-appservice-draupnir-for-all
+    - custom/matrix-appservice-double-puppet
     - custom/matrix-alertmanager-receiver
     - custom/matrix-bridge-appservice-discord
     - custom/matrix-bridge-appservice-slack