Merge 525601d0c7 into 67df140ef4

Upgrade Traefik (v3.1.2-1 -> v3.1.3-0)
Enable backfilling for mautrix-gmessages, mautrix-signal and mautrix-slack
2024-09-20 04:42:36 +02:00 · 2024-09-17 14:19:56 +03:00 · 2024-09-17 10:42:27 +03:00 · 2024-09-17 09:39:35 +03:00 · 2024-09-17 09:39:35 +03:00 · 2024-09-17 09:39:35 +03:00
21 changed files with 1363 additions and 922 deletions
--- a/docs/configuring-playbook-bridge-mautrix-gmessages.md
+++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md
@ -14,14 +14,12 @@ matrix_mautrix_gmessages_enabled: true
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
-### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet
-The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 ### Method 2: manually, by asking each user to provide a working access token
 **Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
--- a/docs/configuring-playbook-bridge-mautrix-meta-instagram.md
+++ b/docs/configuring-playbook-bridge-mautrix-meta-instagram.md
@ -66,14 +66,12 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-meta-instagram/templ
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
-### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet
-The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 ### Method 2: manually, by asking each user to provide a working access token
 **Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
--- a/docs/configuring-playbook-bridge-mautrix-meta-messenger.md
+++ b/docs/configuring-playbook-bridge-mautrix-meta-messenger.md
@ -77,14 +77,12 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-meta-messenger/templ
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
-### Method 1: automatically, by enabling Appservice Double Puppet or Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet
-The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service or the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 Enabling [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 Enabling double puppeting by enabling the [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) service works at the time of writing, but is deprecated and will stop working in the future.
 ### Method 2: manually, by asking each user to provide a working access token
 **Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -1497,17 +1497,13 @@ matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_c
 matrix_mautrix_meta_messenger_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.hs', rounds=655555) | to_uuid }}"
-matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto: |-
+matrix_mautrix_meta_messenger_double_puppet_secrets_auto: |-
  {{
-    ({
+    {
      matrix_mautrix_meta_messenger_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
-    })
+    }
    if matrix_appservice_double_puppet_enabled
-    else (
+    else {}
      {matrix_mautrix_meta_messenger_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
      else {}
    )
  }}
 matrix_mautrix_meta_messenger_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@ -1575,17 +1571,13 @@ matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_c
 matrix_mautrix_meta_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.hs', rounds=655555) | to_uuid }}"
-matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto: |-
+matrix_mautrix_meta_instagram_double_puppet_secrets_auto: |-
  {{
-    ({
+    {
      matrix_mautrix_meta_instagram_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
-    })
+    }
    if matrix_appservice_double_puppet_enabled
-    else (
+    else {}
      {matrix_mautrix_meta_instagram_homeserver_domain: matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret}
      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
      else {}
    )
  }}
 matrix_mautrix_meta_instagram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@ -1806,15 +1798,13 @@ matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_g
 matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
-matrix_mautrix_gmessages_login_shared_secret: |-
+matrix_mautrix_gmessages_double_puppet_secrets_auto: |-
  {{
-    ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    {
      matrix_mautrix_gmessages_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
    }
    if matrix_appservice_double_puppet_enabled
-    else (
+    else {}
      matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
      if matrix_synapse_ext_password_provider_shared_secret_auth_enabled
      else ""
    )
  }}
 matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
--- a/requirements.yml
+++ b/requirements.yml
@ -70,7 +70,7 @@
  version: v1.0.0-0
  name: timesync
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v3.1.2-1
+  version: v3.1.3-0
  name: traefik
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.3-4
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@ -12,7 +12,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
-matrix_appservice_irc_version: 1.0.1
+matrix_appservice_irc_version: 3.0.1
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
@ -66,20 +66,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # It is also used in the Third Party Lookup API as the instance `desc`
 #     # property, where each server is an instance.
 #     name: "ExampleNet"
-
+#     # Additional addresses to connect to, used for load balancing between IRCDs.
 #     additionalAddresses: [ "irc2.example.com" ]
 #     # Typically additionalAddresses would be in addition to the address key given above,
 #     # but some configurations wish to exclusively use additional addresses while reserving
 #     # the top key for identification purposes. Set this to true to exclusively use the
 #     # additionalAddresses array when connecting to servers.
 #     onlyAdditionalAddresses: false
 #     #
 #     # [DEPRECATED] Use `name`, above, instead.
 #     # A human-readable description string
 #     # description: "Example.com IRC network"
-
+#
 #     # An ID for uniquely identifying this server amongst other servers being bridged.
 #     # networkId: "example"
-
+#
-#     # URL to an icon used as the network icon whenever this network appear in
+#     # MXC URL to an icon used as the network icon whenever this network appear in
-#     # a network list. (Like in the riot room directory, for instance.)
+#     # a network list. (Like in the Element room directory, for instance.)
-#     # icon: https://example.com/images/hash.png
+#     # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
-
+#
 #     # The port to connect to. Optional.
 #     port: 6697
 #     # Whether to use SSL or not. Default: false.
@ -92,19 +97,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # Whether to allow expired certs when connecting to the IRC server.
 #     # Usually this should be off. Default: false.
 #     allowExpiredCerts: false
-#     # A specific CA to trust instead of the default CAs. Optional.
+#     # Set additional TLS options for the connections to the IRC server.
-#     #ca: |
+#     #tlsOptions:
-#     #  -----BEGIN CERTIFICATE-----
+#       # A specific CA to trust instead of the default CAs. Optional.
-#     #  ...
+#       #ca: |
-#     #  -----END CERTIFICATE-----
+#       #  -----BEGIN CERTIFICATE-----
-
+#       #  ...
 #       #  -----END CERTIFICATE-----
 #       # Server name for the SNI (Server Name Indication) TLS extension. If the address you
 #       # are using does not report the correct certificate name, you can override it here.
 #       # servername: real.server.name
 #       # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
 #
 #     #
 #     # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
 #     # password: 'pa$$w0rd'
 #     #
 #     # Whether or not to send connection/error notices to real Matrix users. Default: true.
 #     sendConnectionMessages: true
-
+#
 #     quitDebounce:
 #       # Whether parts due to net-splits are debounced for delayMs, to allow
 #       # time for the netsplit to resolve itself. A netsplit is detected as being
@ -124,13 +135,13 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       delayMinMs: 3600000 # 1h
 #       # Default: 7200000, = 2h
 #       delayMaxMs: 7200000 # 2h
-
+#
 #     # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
 #     # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
 #     # been given multiple modes, the one that maps to the highest power level will be used.
 #     modePowerMap:
 #       o: 50
-
+#       v: 1
 #     botConfig:
 #       # Enable the presence of the bot in IRC channels. The bot serves as the entity
 #       # which maps from IRC -> Matrix. You can disable the bot entirely which
@ -153,6 +164,8 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       enabled: true
 #       # The nickname to give the AS bot.
 #       nick: "MatrixBot"
 #       # The username to give to the AS bot. Defaults to "matrixbot"
 #       username: "matrixbot"
 #       # The password to give to NickServ or IRC Server for this nick. Optional.
 #       # password: "helloworld"
 #       #
@ -161,7 +174,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # real matrix users in them, even if there is a mapping for the channel.
 #       # Default: true
 #       joinChannelsIfNoUsers: true
-
+#
 #     # Configuration for PMs / private 1:1 communications between users.
 #     privateMessages:
 #       # Enable the ability for PMs to be sent to/from IRC/Matrix.
@ -170,12 +183,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent Matrix users from sending PMs to the following IRC nicks.
 #       # Optional. Default: [].
 #       # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
-
+#
 #       # Should created Matrix PM rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Optional. Default: true.
 #       federate: true
-
+#
 #     # Configuration for mappings not explicitly listed in the 'mappings'
 #     # section.
 #     dynamicChannels:
@ -189,27 +202,34 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Should the AS publish the new Matrix room to the public room list so
 #       # anyone can see it? Default: true.
 #       published: true
 #       # Publish the rooms to the homeserver directory, as oppose to the appservice
 #       # room directory. Only used if `published` is on.
 #       # Default: false
 #       useHomeserverDirectory: true
 #       # What should the join_rule be for the new Matrix room? If 'public',
 #       # anyone can join the room. If 'invite', only users with an invite can
 #       # join the room. Note that if an IRC channel has +k or +i set on it,
 #       # join_rules will be set to 'invite' until these modes are removed.
 #       # Default: "public".
 #       joinRule: public
 #       # This will set the m.room.related_groups state event in newly created rooms
 #       # with the given groupId. This means flares will show up on IRC users in those rooms.
 #       # This should be set to the same thing as namespaces.users.group_id in irc_registration.
 #       # This does not alter existing rooms.
 #       # Leaving this option empty will not set the event.
 #       groupId: +myircnetwork:localhost
 #       # Should created Matrix rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Default: true.
 #       federate: true
 #       # Force this room version when creating IRC channels. Beware if the homeserver doesn't
 #       # support the room version then the request will fail. By default, no version is requested.
 #       # roomVersion: "1"
 #       # The room alias template to apply when creating new aliases. This only
 #       # applies if createAlias is 'true'. The following variables are exposed:
 #       # $SERVER => The IRC server address (e.g. "irc.example.com")
 #       # $CHANNEL => The IRC channel (e.g. "#python")
 #       # This MUST have $CHANNEL somewhere in it.
 #       #
 #       # In certain circumstances you might want to bridge your whole IRC network as a
 #       # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
 #       # template to just be $CHANNEL. Doing so will preclude you from supporting
 #       # other prefix characters though.
 #       #
 #       # Default: '#irc_$SERVER_$CHANNEL'
 #       aliasTemplate: "#irc_$CHANNEL"
 #       # A list of user IDs which the AS bot will send invites to in response
@ -221,7 +241,11 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent the given list of channels from being mapped under any
 #       # circumstances.
 #       # exclude: ["#foo", "#bar"]
-
+#
 #     # excludedUsers:
 #     #   - regex: "@.*:evilcorp.com"
 #     #     kickReason: "We don't like Evilcorp"
 #
 #     # Configuration for controlling how Matrix and IRC membership lists are
 #     # synced.
 #     membershipLists:
@ -230,12 +254,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # synced. This must be enabled for anything else in this section to take
 #       # effect. Default: false.
 #       enabled: false
-
+#
 #       # Syncing membership lists at startup can result in hundreds of members to
 #       # process all at once. This timer drip feeds membership entries at the
 #       # specified rate. Default: 10000. (10s)
 #       floodDelayMs: 10000
-
+#
 #       global:
 #         ircToMatrix:
 #           # Get a snapshot of all real IRC users on a channel (via NAMES) and
@ -244,7 +268,14 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # Make virtual matrix clients join and leave rooms as their real IRC
 #           # counterparts join/part channels. Default: false.
 #           incremental: false
-
+#           # Should the bridge check if all Matrix users are connected to IRC and
 #           # joined to the channel before relaying messages into the room.
 #           #
 #           # This is considered a safety net to avoid any leakages by the bridge to
 #           # unconnected users, but given it ignores all IRC messages while users
 #           # are still connecting it may be overkill.
 #           requireMatrixJoined: false
 #
 #         matrixToIrc:
 #           # Get a snapshot of all real Matrix users in the room and join all of
 #           # them to the mapped IRC channel on startup. Default: false.
@ -253,21 +284,32 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # counterparts join/leave rooms. Make sure your 'maxClients' value is
 #           # high enough! Default: false.
 #           incremental: false
-
+#
 #       # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
 #       rooms:
 #         - room: "!fuasirouddJoxtwfge:localhost"
 #           matrixToIrc:
 #             initial: false
 #             incremental: false
-
+#
 #       # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
 #       channels:
 #         - channel: "#foo"
 #           ircToMatrix:
 #             initial: false
 #             incremental: false
-
+#             requireMatrixJoined: false
 #
 #       # Should the bridge ignore users which are not considered active on the bridge
 #       # during startup
 #       ignoreIdleUsersOnStartup:
 #         enabled: true
 #         # How many hours can a user be considered idle for before they are considered
 #         # ignoreable
 #         idleForHours: 720
 #         # A regex which will exclude matching MXIDs from this check.
 #         exclude: "foobar"
 #
 #     mappings:
 #       # 1:many mappings from IRC channels to room IDs on this IRC server.
 #       # The matrix room must already exist. Your matrix client should expose
@ -277,27 +319,27 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # Channel key/password to use. Optional. If provided, matrix users do
 #         # not need to know the channel key in order to join the channel.
 #         # key: "secret"
-
+#
 #     # Configuration for virtual matrix users. The following variables are
 #     # exposed:
 #     # $NICK => The IRC nick
 #     # $SERVER => The IRC server address (e.g. "irc.example.com")
 #     matrixClients:
 #       # The user ID template to use when creating virtual matrix users. This
-#       # MUST have $NICK somewhere in it.
+#       # MUST start with an @ and have $NICK somewhere in it.
 #       # Optional. Default: "@$SERVER_$NICK".
 #       # Example: "@irc.example.com_Alice:example.com"
 #       userTemplate: "@irc_$NICK"
 #       # The display name to use for created matrix clients. This should have
 #       # $NICK somewhere in it if it is specified. Can also use $SERVER to
 #       # insert the IRC domain.
-#       # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
+#       # Optional. Default: "$NICK". Example: "Alice"
-#       displayName: "$NICK (IRC)"
+#       displayName: "$NICK"
 #       # Number of tries a client can attempt to join a room before the request
 #       # is discarded. You can also use -1 to never retry or 0 to never give up.
 #       # Optional. Default: -1
 #       joinAttempts: -1
-
+#
 #     # Configuration for virtual IRC users. The following variables are exposed:
 #     # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
 #     # $USERID => The user ID
@ -326,9 +368,20 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # connected user. If not specified, all users will connect from the same
 #         # (default) address. This may require additional OS-specific work to allow
 #         # for the node process to bind to multiple different source addresses
-#         # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
+#         # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
 #         # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
 #         # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
 #         # prefix: "2001:0db8:85a3::"  # modify appropriately
 #
 #         # Optional. Define blocks of IPv6 addresses for different homeservers
 #         # which can be used to restrict users of those homeservers to a given
 #         # IP. These blocks should be considered immutable once set, as changing
 #         # the startFrom value will NOT adjust existing IP addresses.
 #         # Changing the startFrom value to a lower value may conflict with existing clients.
 #         # Multiple homeservers may NOT share blocks.
 #         blocks:
 #           - homeserver: another-server.org
 #             startFrom: '10:0000'
 #       #
 #       # The maximum amount of time in seconds that the client can exist
 #       # without sending another message before being disconnected. Use 0 to
@ -365,6 +418,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # through the bridge e.g. caller ID as there is no way to /ACCEPT.
 #       # Default: "" (no user modes)
 #       # userModes: "R"
 #       # The format of the realname defined for users, either mxid or reverse-mxid
 #       realnameFormat: "mxid"
 #       # The minimum time to wait between connection attempts if we were disconnected
 #       # due to throttling.
 #       # pingTimeoutMs: 600000
 #       # The rate at which to send pings to the IRCd if the client is being quiet for a while.
 #       # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
 #       # that sometimes they don't get around to it and end up ping timing us out.
 #       # pingRateMs: 60000
 #       # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
 #       # defaults should be taken with care as it may dishonestly repesent Matrix users on the IRC
 #       # network, and cause your bridge to be banned.
 #       kickOn:
 #         # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
 #         channelJoinFailure: true
 #         # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
 #         ircConnectionFailure: true
 #         # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
 #         userQuit: true
 # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
 #
--- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2
@ -1,14 +1,13 @@
 #jinja2: lstrip_blocks: True
 #
 # Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml
 #
 # Configuration specific to AS registration. Unless other marked, all fields
 # are *REQUIRED*.
 # Unless otherwise specified, these keys CANNOT be hot-reloaded.
 homeserver:
-  # The URL to the home server for client-server API calls, also used to form the
+  # The URL to the home server for client-server API calls
-  # media URLs as displayed in bridged IRC channels:
+  url: "{{ matrix_appservice_irc_homeserver_url }}"
  url: {{ matrix_appservice_irc_homeserver_url }}
  #
  # The URL of the homeserver hosting media files. This is only used to transform
  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
  # default, this is the homeserver URL, specified above.
  #
  media_url: {{ matrix_appservice_irc_homeserver_media_url }}
  # Drop Matrix messages which are older than this number of seconds, according to
  # the event's origin_server_ts.
@ -20,41 +19,40 @@ homeserver:
  # clock times and hence produce different origin_server_ts values, which may be old
  # enough to cause *all* events from the homeserver to be dropped.
  # Default: 0 (don't ever drop)
  # This key CAN be hot-reloaded.
  # dropMatrixMessagesAfterSecs: 300 # 5 minutes
  # The 'domain' part for user IDs on this home server. Usually (but not always)
  # is the "domain name" part of the HS URL.
-  domain: {{ matrix_appservice_irc_homeserver_domain }}
+  domain: "{{ matrix_appservice_irc_homeserver_domain }}"
  # Should presence be enabled for matrix clients on this bridge. If disabled on the
  # homeserver then it should also be disabled here to avoid excess traffic.
  # Default: true
  enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
  # Which port should the appservice bind to. Can be overriden by the one provided in the
  # command line! Optional.
  # bindPort: 8090
  # Use this option to force the appservice to listen on another hostname for transactions.
  # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
  # bindHostname: 0.0.0.0
 # Configuration specific to the IRC service
 ircService:
-  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
+  # All server keys can be hot-reloaded, however existing IRC connections
-  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
+  # will not have changes applied to them.
  # the database.
  #
  # To generate a .pem file:
  # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
  #
  # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
  # for storage in the database. Passwords are stored by using the admin room command
  # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
  # the Matrix user, this password will be sent as the server password (PASS command).
  passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification
  # Config for Matrix -> IRC bridging
  matrixHandler:
    # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
    eventCacheSize: 4096
  servers: {{ matrix_appservice_irc_ircService_servers|to_json }}
  # present relevant UI to the user. MSC2346
  bridgeInfoState:
    enabled: false
    initial: false
  # Configuration for an ident server. If you are running a public bridge it is
  # advised you setup an ident server so IRC mods can ban specific matrix users
  # rather than the application service itself.
  # This key CANNOT be hot-reloaded
  ident:
    # True to listen for Ident requests and respond with the
    # matrix user's user_id (converted to ASCII, respecting RFC 1413).
@ -71,49 +69,62 @@ ircService:
    # Default: 0.0.0.0
    address: "::"
  # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
  # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
  # encodingFallback: "ISO-8859-15"
  # Configuration for logging. Optional. Default: console debug level logging
  # only.
  logging:
    # Level to log on console/logfile. One of error|warn|info|debug
    level: "debug"
    # The file location to log to. This is relative to the project directory.
-    #logfile: "debug.log"
+    logfile: "debug.log"
    # The file location to log errors to. This is relative to the project
    # directory.
-    #errfile: "errors.log"
+    errfile: "errors.log"
    # Whether to log to the console or not.
    toConsole: true
    # The max number of files to keep. Files will be overwritten eventually due
    # to rotations.
    maxFiles: 5
  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
  #   $ npm install prom-client@6.3.0
  # Metrics will then be available via GET /metrics on the bridge listening port (-p).
  # This key CANNOT be hot-reloaded
  metrics:
    # Whether to actually enable the metric endpoint. Default: false
    enabled: true
    # Which port to listen on (omit to listen on the bindPort)
    #port: 7001
    # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
    host: 127.0.0.1
    # When determining activeness of remote and matrix users, cut off at this number of hours.
    userActivityThresholdHours: 72 # 3 days
    # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
    # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
    remoteUserAgeBuckets:
      - "1h"
      - "1d"
      - "1w"
  # Configuration for the provisioning API.
-  #
+  # This key CANNOT be hot-reloaded
  # GET /_matrix/provision/link
  # GET /_matrix/provision/unlink
  # GET /_matrix/provision/listlinks
  #
  provisioning:
    # True to enable the provisioning HTTP endpoint. Default: false.
    enabled: false
-    # The number of seconds to wait before giving up on getting a response from
+    # Whether to enable hosting the setup widget page. Default: false.
-    # an IRC channel operator. If the channel operator does not respond within the
+    widget: false
-    # allotted time period, the provisioning request will fail.
+
-    # Default: 300 seconds (5 mins)
+  # Config for the media proxy, required to serve publically accessible URLs to authenticated Matrix media
-    requestTimeoutSeconds: 300
+  mediaProxy:
    # To generate a .jwk file:
    # $ node src/generate-signing-key.js > signingkey.jwk
    signingKeyPath: "signingkey.jwk"
    # How long should the generated URLs be valid for
    ttlSeconds: 3600
    # The port for the media proxy to listen on
    bindPort: 11111
    # The publically accessible URL to the media proxy
    publicUrl: "https://irc.bridge/media"
 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.
@ -122,13 +133,18 @@ advanced:
  # however for large bridges it is important to rate limit the bridge to avoid
  # accidentally overloading the homeserver. Defaults to 1000, which should be
  # enough for the vast majority of use cases.
  # This key CAN be hot-reloaded
  maxHttpSockets: 1000
  # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
  # This key CANNOT be hot-reloaded.
  maxTxnSize: 10000000
 # Use an external database to store bridge state.
 # This key CANNOT be hot-reloaded.
 database:
  # database engine (must be 'postgres' or 'nedb'). Default: nedb
  engine: {{ matrix_appservice_irc_database_engine|to_json }}
  # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
  # For postgres, it must start with postgres://
  # For NeDB, it must start with nedb://. The path is relative to the project directory.
-  connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }}
+  connectionString: {{ matrix_appservice_irc_database_connectionString
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@ -9,7 +9,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.4.3
+matrix_mautrix_gmessages_version: v0.5.0
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_name_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
@ -25,6 +25,12 @@ matrix_mautrix_gmessages_homeserver_address: ""
 matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
 matrix_mautrix_gmessages_backfill_enabled: true
 matrix_mautrix_gmessages_backfill_max_initial_messages: 50
 matrix_mautrix_gmessages_backfill_max_catchup_messages: 500
 matrix_mautrix_gmessages_backfill_unread_hours_threshold: 720
 matrix_mautrix_gmessages_backfill_threads_max_initial_messages: 50
 matrix_mautrix_gmessages_command_prefix: "!gm"
 matrix_mautrix_gmessages_container_network: ""
@ -132,18 +138,23 @@ matrix_mautrix_gmessages_appservice_database_uri: "{{
 	}[matrix_mautrix_gmessages_database_engine]
 }}"
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth) or Appservice Double Puppet.
+matrix_mautrix_gmessages_double_puppet_secrets: "{{ matrix_mautrix_gmessages_double_puppet_secrets_auto | combine(matrix_mautrix_gmessages_double_puppet_secrets_custom) }}"
-matrix_mautrix_gmessages_login_shared_secret: ''
+matrix_mautrix_gmessages_double_puppet_secrets_auto: {}
-matrix_mautrix_gmessages_bridge_login_shared_secret_map:
+matrix_mautrix_gmessages_double_puppet_secrets_custom: {}
  "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}"
 # Enable End-to-bridge encryption
 matrix_mautrix_gmessages_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_gmessages_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
 matrix_mautrix_gmessages_bridge_encryption_require: false
 matrix_mautrix_gmessages_bridge_encryption_appservice: false
 matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}"
 matrix_mautrix_gmessages_network_displayname_template: "{% raw %}{{or .FullName .PhoneNumber}}{% endraw %}"
 matrix_mautrix_gmessages_appservice_username_template: "{% raw %}gmessages_{{.}}{% endraw %}"
 matrix_mautrix_gmessages_public_media_signing_key: ''
 matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true
 matrix_mautrix_gmessages_bridge_mute_bridging: true
 matrix_mautrix_gmessages_bridge_permissions: |
  {{
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml
@ -22,3 +22,6 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_mautrix_gmessages_log_level', 'new': 'matrix_mautrix_gmessages_logging_level'}
    - {'old': 'matrix_mautrix_gmessages_bridge_mute_bridging', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_gmessages_login_shared_secret', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_gmessages_bridge_login_shared_secret_map', 'new': 'matrix_mautrix_gmessages_double_puppet_secrets_custom'}
--- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
@ -1,20 +1,172 @@
 #jinja2: lstrip_blocks: "True"
 # Network-specific config options
 network:
    # Displayname template for SMS users.
    # {% raw %}{{.FullName}}{% endraw %} - Full name provided by the phone
    # {% raw %}{{.FirstName}}{% endraw %} - First name provided by the phone
    # {% raw %}{{.PhoneNumber}}{% endraw %} - Formatted phone number provided by the phone
    displayname_template: {{ matrix_mautrix_gmessages_network_displayname_template | to_json }}
    # Settings for how the bridge appears to the phone.
    device_meta:
        # OS name to tell the phone. This is the name that shows up in the paired devices list.
        os: mautrix-gmessages
        # Browser type to tell the phone. This decides which icon is shown.
        # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE
        browser: OTHER
        # Device type to tell the phone. This also affects the icon, as well as how many sessions are allowed simultaneously.
        # One web, two tablets and one PWA should be able to connect at the same time.
        # Valid types: WEB, TABLET, PWA
        type: TABLET
    # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser?
    # If this is disabled, the user must manually use the `set-active` command to reactivate the bridge.
    aggressive_reconnect: false
    # Number of chats to sync when connecting to Google Messages.
    initial_chat_sync_count: 25
 # Config options that affect the central bridge module.
 bridge:
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: '!gm'
    # Should the bridge create a space for each login containing the rooms that account is in?
    personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }}
    # Whether the bridge should set names and avatars explicitly for DM portals.
    # This is only necessary when using clients that don't support MSC4171.
    private_chat_portal_meta: false
    # Should events be handled asynchronously within portal rooms?
    # If true, events may end up being out of order, but slow events won't block other ones.
    async_events: false
    # Should every user have their own portals rather than sharing them?
    # By default, users who are in the same group on the remote network will be
    # in the same Matrix room bridged to that group. If this is set to true,
    # every user will get their own Matrix room instead.
    split_portals: false
    # Should the bridge resend `m.bridge` events to all portals on startup?
    resend_bridge_info: false
    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
    bridge_matrix_leave: false
    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
    tag_only_on_create: true
    # Should room mute status only be synced when creating the portal?
    # Like tags, mutes can't currently be synced back to the remote network.
    mute_only_on_create: true
    # What should be done to portal rooms when a user logs out or is logged out?
    # Permitted values:
    #   nothing - Do nothing, let the user stay in the portals
    #   kick - Remove the user from the portal rooms, but don't delete them
    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
    #   delete - Remove all ghosts and users from the room (i.e. delete it)
    cleanup_on_logout:
        # Should cleanup on logout be enabled at all?
        enabled: false
        # Settings for manual logouts (explicitly initiated by the Matrix user)
        manual:
            # Action for private portals which will never be shared with other Matrix users.
            private: nothing
            # Action for portals with a relay user configured.
            relayed: nothing
            # Action for portals which may be shared, but don't currently have any other Matrix users.
            shared_no_users: nothing
            # Action for portals which have other logged-in Matrix users.
            shared_has_users: nothing
        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
        # Keys have the same meanings as in the manual section.
        bad_credentials:
            private: nothing
            relayed: nothing
            shared_no_users: nothing
            shared_has_users: nothing
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: false
        # Should only admins be allowed to set themselves as relay users?
        # If true, non-admins can only set users listed in default_relays as relays in a room.
        admin_only: true
        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
        default_relays: []
        # The formats to use when sending messages via the relaybot.
        # Available variables:
        #   .Sender.UserID - The Matrix user ID of the sender.
        #   .Sender.Displayname - The display name of the sender (if set).
        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
        #                               plus the user ID in parentheses if the displayname is not unique.
        #                               If the displayname is not set, this is just the user ID.
        #   .Message - The `formatted_body` field of the message.
        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
        #   .FileName - The name of the file being sent.
        message_formats:
            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
        # Note that you need to manually remove the displayname from message_formats above.
        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    # commands - Access to use commands in the bridge, but not login.
    #     user - Access to use the bridge with puppeting.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }}
 # Config for the bridge's database.
 database:
    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
    type: postgres
    # The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }}
    # Maximum number of connections.
    max_open_conns: 5
    max_idle_conns: 1
    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
-    address: {{ matrix_mautrix_gmessages_homeserver_address }}
+    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
    # but https also works if they run on different machines.
    address: http://example.localhost:8008
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{ matrix_mautrix_gmessages_homeserver_domain }}
+    domain: example.com
    # What software is the homeserver running?
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
-    status_endpoint: null
+    status_endpoint:
    # Endpoint for reporting per-message status.
-    message_send_checkpoint_endpoint: null
+    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
@ -26,33 +178,19 @@ homeserver:
    ping_interval_seconds: 0
 # Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
+# Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_gmessages_appservice_address }}
    # A public address that external services can use to reach this appservice.
    # This value doesn't affect the registration file.
    public_address: https://bridge.example.com
    # The hostname and port where this appservice should listen.
    # For Docker, you generally have to change the hostname to 0.0.0.0.
    hostname: 0.0.0.0
    port: 8080
    # Database config.
    database:
        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
        type: postgres
        # The database URI.
        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
        uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }}
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
        # Parsed with https://pkg.go.dev/time#ParseDuration
        max_conn_idle_time: null
        max_conn_lifetime: null
    # The unique ID of this appservice.
    id: gmessages
    # Appservice bot details.
@ -64,229 +202,223 @@ appservice:
        displayname: Google Messages bridge bot
        avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb
-    # Whether or not to receive ephemeral events via appservice transactions.
+    # Whether to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
    ephemeral_events: true
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    # This value doesn't affect the registration file.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
-    as_token: "{{ matrix_mautrix_gmessages_appservice_token }}"
+    as_token: {{ matrix_mautrix_gmessages_appservice_token | to_json }}
-    hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}"
+    hs_token: {{ matrix_mautrix_gmessages_homeserver_token | to_json }}
-# Segment API key to track some events, like provisioning API login and encryption errors.
+    # Localpart template of MXIDs for remote users.
-segment_key: null
+    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the user.
-# Optional user_id to use when sending Segment events. If null, defaults to using mxID.
+    username_template: {{ matrix_mautrix_gmessages_appservice_username_template | to_json }}
 segment_user_id: null
-# Prometheus config.
+# Config options that affect the Matrix connector of the bridge.
-metrics:
+matrix:
    # Enable prometheus metrics?
    enabled: {{ matrix_mautrix_gmessages_metrics_enabled | to_json }}
    # IP and port where the metrics listener should be. The path is always /metrics
    listen: 0.0.0.0:8001
 google_messages:
    # OS name to tell the phone. This is the name that shows up in the paired devices list.
    os: mautrix-gmessages
    # Browser type to tell the phone. This decides which icon is shown.
    # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE
    browser: OTHER
    # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser?
    # If this is disabled, the user must manually use the `reconnect` command to reactivate the bridge.
    aggressive_reconnect: false
 # Bridge config
 bridge:
    # Localpart template of MXIDs for SMS users.
    # {{ '{{.}}' }} is replaced with an identifier of the recipient.
    username_template: "{{ 'gmessages_{{.}}' }}"
    # Displayname template for SMS users.
    # {{ '{{.FullName}}' }} - Full name provided by the phone
    # {{ '{{.FirstName}}' }} - First name provided by the phone
    # {{ '{{.PhoneNumber}}' }} - Formatted phone number provided by the phone
    displayname_template: "{{ '{{or .FullName .PhoneNumber}}' }}"
    # Should the bridge create a space for each logged-in user and add bridged rooms to it?
    personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }}
    # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone?
    delivery_receipts: false
    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # Whether the bridge should send a read receipt after successfully bridging a message.
    delivery_receipts: false
    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
-
+    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
    portal_message_buffer: 128
    # Should the bridge update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
    # and is therefore prone to race conditions.
    sync_direct_chat_list: false
-    # Number of chats to sync when connecting to Google Messages.
+    # Whether created rooms should have federation enabled. If false, created portal rooms
-    initial_chat_sync_count: 25
+    # will never be federated. Changing this option requires recreating rooms.
-    # Backfill settings
+    federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms | to_json }}
-    backfill:
+    # The threshold as bytes after which the bridge should roundtrip uploads via the disk
-        # Number of messages to backfill in new chats.
+    # rather than keeping the whole file in memory.
-        initial_limit: 50
+    upload_file_threshold: 5242880
        # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message.
        missed_limit: 100
-    # Servers to always allow double puppeting from
+# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
-    double_puppet_server_map:
+analytics:
-        "{{ matrix_mautrix_gmessages_homeserver_domain }}": {{ matrix_mautrix_gmessages_homeserver_address }}
+    # API key to send with tracking requests. Tracking is disabled if this is null.
-    # Allow using double puppeting from any server with a valid client .well-known file.
+    token: null
-    double_puppet_allow_discovery: false
+    # Address to send tracking requests to.
-    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    url: https://api.segment.io/v1/track
    # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
    user_id: null
 # Settings for provisioning API
 provisioning:
    # Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: disable
    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
    # This follows the same rules as double puppeting to determine which server to contact to check the token,
    # which means that by default, it only works for users on the same server as the bridge.
    allow_matrix_auth: true
    # Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false
 # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
 # These settings control whether the bridge will provide such public media access.
 public_media:
    # Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: false
    # A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: {{ matrix_mautrix_gmessages_public_media_signing_key | to_json }}
    # Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: 0
    # Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: 32
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
 direct_media:
    # Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: media.example.com
    # Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: ""
 # Settings for backfilling messages.
 # Note that the exact way settings are applied depends on the network connector.
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
    enabled: {{ matrix_mautrix_gmessages_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
    max_initial_messages: {{ matrix_mautrix_gmessages_backfill_max_initial_messages | to_json }}
    # Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: {{ matrix_mautrix_gmessages_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: {{ matrix_mautrix_gmessages_backfill_unread_hours_threshold | to_json }}
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
        max_initial_messages: {{ matrix_mautrix_gmessages_backfill_threads_max_initial_messages | to_json }}
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # Should the backfill queue be enabled?
        enabled: false
        # Number of messages to backfill in one batch.
        batch_size: 100
        # Delay between batches in seconds.
        batch_delay: 20
        # Maximum number of batches to backfill per portal.
        # If set to -1, all available messages will be backfilled.
        max_batches: -1
        # Optional network-specific overrides for max batches.
        # Interpretation of this field depends on the network connector.
        max_batches_override: {}
 # Settings for enabling double puppeting
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers: {}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets: {{ matrix_mautrix_gmessages_double_puppet_secrets | to_json }}
 # End-to-bridge encryption support options.
 #
 # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
 encryption:
    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
    allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow | to_json }}
    # Whether to force-enable encryption in all bridged rooms.
    default: {{ matrix_mautrix_gmessages_bridge_encryption_default | to_json }}
    # Whether to require all messages to be encrypted and drop any unencrypted messages.
    require: {{ matrix_mautrix_gmessages_bridge_encryption_require | to_json }}
    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
    appservice: {{ matrix_mautrix_gmessages_bridge_encryption_appservice | to_json }}
    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow | to_json }}
    # Pickle key for encrypting encryption keys in the bridge database.
    # If set to generate, a random key will be generated.
    pickle_key: mautrix.bridge.e2ee
    # Options for deleting megolm sessions from the bridge.
    delete_keys:
        # Beeper-specific: delete outbound sessions when hungryserv confirms
        # that the user has uploaded the key to key backup.
        delete_outbound_on_ack: false
        # Don't store outbound sessions in the inbound table.
        dont_store_outbound: false
        # Ratchet megolm sessions forward after decrypting messages.
        ratchet_on_decrypt: false
        # Delete fully used keys (index >= max_messages) after decrypting messages.
        delete_fully_used_on_decrypt: false
        # Delete previous megolm sessions from same device when receiving a new one.
        delete_prev_on_new_session: false
        # Delete megolm sessions received from a device when the device is deleted.
        delete_on_device_delete: false
        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
        periodically_delete_expired: false
        # Delete inbound megolm sessions that don't have the received_at field used for
        # automatic ratcheting and expired session deletion. This is meant as a migration
        # to delete old keys prior to the bridge update.
        delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
-    # If set, double puppeting will be enabled automatically for local users
+    # Valid levels:
-    # instead of users having to find an access token and run `login-matrix`
+    #   unverified - Send keys to all device in the room.
-    # manually.
+    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-    login_shared_secret_map: {{ matrix_mautrix_gmessages_bridge_login_shared_secret_map|to_json }}
+    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-
+    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-    # Whether to explicitly set the avatar and room name for private chat portal rooms.
+    #                           Note that creating user signatures from the bridge bot is not currently possible.
-    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+    #   verified - Require manual per-device verification
-    # If set to `always`, all DM rooms will have explicit names and avatars set.
+    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-    # If set to `never`, DM rooms will never have names and avatars set.
+    verification_levels:
-    private_chat_portal_meta: default
+        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
-    # Should Matrix m.notice-type messages be bridged?
+        receive: unverified
-    bridge_notices: true
+        # Minimum level that the bridge should accept for incoming Matrix messages.
-    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+        send: unverified
-    # This field will automatically be changed back to false after it, except if the config file is not writable.
+        # Minimum level that the bridge should require for accepting key requests.
-    resend_bridge_info: false
+        share: cross-signed-tofu
-    # When using double puppeting, should muted chats be muted in Matrix?
+    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
-    mute_bridging: {{ matrix_mautrix_gmessages_bridge_mute_bridging | to_json }}
+    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
-    # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+    rotation:
-    # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+        # Enable custom Megolm room key rotation settings. Note that these
-    archive_tag: null
+        # settings will only apply to rooms created after this option is set.
-    # Same as above, but for pinned chats. The favorite tag is called m.favourite
+        enable_custom: false
-    pinned_tag: null
+        # The maximum number of milliseconds a session should be used
-    # Should mute status and tags only be bridged when the portal room is created?
+        # before changing it. The Matrix spec recommends 604800000 (a week)
-    tag_only_on_create: true
+        # as the default.
-    # Whether or not created rooms should have federation enabled.
+        milliseconds: 604800000
-    # If false, created portal rooms will never be federated.
+        # The maximum number of messages that should be sent with a given a
-    federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms|to_json }}
+        # session before changing it. The Matrix spec recommends 100 as the
-    # Should the bridge never send alerts to the bridge management room?
+        # default.
-    # These are mostly things like the user being logged out.
+        messages: 100
-    disable_bridge_alerts: false
+        # Disable rotating keys when a user's devices change?
-    # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+        # You should not enable this option unless you understand all the implications.
-    # This is currently not supported in most clients.
+        disable_device_change_key_rotation: false
    caption_in_message: false
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!gm"
    # Messages sent upon joining a management room.
    # Markdown is supported. The defaults are listed below.
    management_room_text:
        # Sent when joining a room.
        welcome: "Hello, I'm a Google Messages bridge bot."
        # Sent when joining a management room and the user is already logged in.
        welcome_connected: "Use `help` for help."
        # Sent when joining a management room and the user is not logged in.
        welcome_unconnected: "Use `help` for help or `login` to log in."
        # Optional extra text sent when joining a management room.
        additional_help: ""
    # End-to-bridge encryption support options.
    #
    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: {{ matrix_mautrix_gmessages_bridge_encryption_default|to_json }}
        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
        appservice: false
        # Require encryption, drop any unencrypted messages.
        require: false
        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
        # You must use a client that supports requesting keys from other users to use this feature.
        allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow|to_json }}
        # Options for deleting megolm sessions from the bridge.
        delete_keys:
            # Beeper-specific: delete outbound sessions when hungryserv confirms
            # that the user has uploaded the key to key backup.
            delete_outbound_on_ack: false
            # Don't store outbound sessions in the inbound table.
            dont_store_outbound: false
            # Ratchet megolm sessions forward after decrypting messages.
            ratchet_on_decrypt: false
            # Delete fully used keys (index >= max_messages) after decrypting messages.
            delete_fully_used_on_decrypt: false
            # Delete previous megolm sessions from same device when receiving a new one.
            delete_prev_on_new_session: false
            # Delete megolm sessions received from a device when the device is deleted.
            delete_on_device_delete: false
            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
            periodically_delete_expired: false
            # Delete inbound megolm sessions that don't have the received_at field used for
            # automatic ratcheting and expired session deletion. This is meant as a migration
            # to delete old keys prior to the bridge update.
            delete_outdated_inbound: false
        # What level of device verification should be required from users?
        #
        # Valid levels:
        #   unverified - Send keys to all device in the room.
        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
        #                           Note that creating user signatures from the bridge bot is not currently possible.
        #   verified - Require manual per-device verification
        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
        verification_levels:
            # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix.
            receive: unverified
            # Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu
        # Options for Megolm room key rotation. These options allow you to
        # configure the m.room.encryption event content. See:
        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
        # more information about that event.
        rotation:
            # Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100
            # Disable rotating keys when a user's devices change?
            # You should not enable this option unless you understand all the implications.
            disable_device_change_key_rotation: false
    # Settings for provisioning API
    provisioning:
        # Prefix for the provisioning API paths.
        prefix: /_matrix/provision
        # Shared secret for authentication. If set to "generate", a random secret will be generated,
        # or if set to "disable", the provisioning API will be disabled.
        shared_secret: generate
    # Permissions for using the bridge.
    # Permitted values:
    #     user - Access to use the bridge to link their own Google Messages on android.
    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }}
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
    min_level: {{ matrix_mautrix_gmessages_logging_level }}
    writers:
        - type: stdout
-          format: pretty-colored
+          format: pretty
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
@ -13,7 +13,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.3.2
+matrix_mautrix_meta_instagram_version: v0.4.0
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
@ -214,9 +214,9 @@ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing: "{{ matrix_ma
 matrix_mautrix_meta_instagram_bridge_encryption_appservice: false
 matrix_mautrix_meta_instagram_bridge_encryption_require: false
-matrix_mautrix_meta_instagram_bridge_login_shared_secret_map: "{{ matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_meta_instagram_double_puppet_secrets: "{{ matrix_mautrix_meta_instagram_double_puppet_secrets_auto | combine(matrix_mautrix_meta_instagram_double_puppet_secrets_custom) }}"
-matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_meta_instagram_double_puppet_secrets_auto: {}
-matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_custom: {}
+matrix_mautrix_meta_instagram_double_puppet_secrets_custom: {}
 matrix_mautrix_meta_instagram_bridge_permissions: "{{ matrix_mautrix_meta_instagram_bridge_permissions_default | combine(matrix_mautrix_meta_instagram_bridge_permissions_custom) }}"
@ -231,16 +231,15 @@ matrix_mautrix_meta_instagram_bridge_permissions_custom: {}
 # Enable bridge relay bot functionality
 matrix_mautrix_meta_instagram_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
 matrix_mautrix_meta_instagram_bridge_relay_admin_only: true
 matrix_mautrix_meta_instagram_bridge_relay_default_relays: []
-matrix_mautrix_meta_instagram_bridge_management_room_text_welcome: |-
+matrix_mautrix_meta_instagram_backfill_enabled: true
-  {{
+matrix_mautrix_meta_instagram_backfill_max_initial_messages: 50
-    ({
+matrix_mautrix_meta_instagram_backfill_max_catchup_messages: 500
-      'facebook': "Hello, I'm a Facebook bridge bot.",
+matrix_mautrix_meta_instagram_backfill_unread_hours_threshold: 720
-      'facebook-tor': "Hello, I'm a Facebook bridge bot which uses Tor.",
+matrix_mautrix_meta_instagram_backfill_threads_max_initial_messages: 50
-      'messenger': "Hello, I'm a Messenger bridge bot.",
+
-      'instagram': "Hello, I'm an Instagram bridge bot.",
+matrix_mautrix_meta_instagram_public_media_signing_key: ''
    })[matrix_mautrix_meta_instagram_meta_mode]
  }}
 # Specifies the default log level.
 # This bridge uses zerolog, so valid levels are: panic, fatal, error, warn, info, debug, trace
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/tasks/validate_config.yml
@ -23,3 +23,5 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_mautrix_meta_instagram_bridge_login_shared_secret', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_meta_instagram_bridge_login_shared_secret_map_custom', 'new': '<superseded by matrix_mautrix_meta_instagram_double_puppet_secrets_custom>'}
    - {'old': 'matrix_mautrix_meta_instagram_bridge_management_room_text_welcome', 'new': '<removed>'}
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2
@ -1,7 +1,168 @@
 #jinja2: lstrip_blocks: "True"
 # Network-specific config options
 network:
    # Which service is this bridge for? Available options:
    # * unset - allow users to pick any service when logging in (except facebook-tor)
    # * facebook - connect to FB Messenger via facebook.com
    # * facebook-tor - connect to FB Messenger via facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
    #                  (note: does not currently proxy media downloads)
    # * messenger - connect to FB Messenger via messenger.com (can be used with the facebook side deactivated)
    # * instagram - connect to Instagram DMs via instagram.com
    #
    # Remember to change the appservice id, bot profile info, bridge username_template and management_room_text too.
    mode: {{ matrix_mautrix_meta_instagram_meta_mode | to_json }}
    # When in Instagram mode, should the bridge connect to WhatsApp servers for encrypted chats?
    # In FB/Messenger mode encryption is always enabled, this option only affects Instagram mode.
    ig_e2ee: {{ matrix_mautrix_meta_instagram_meta_ig_e2ee | to_json }}
    # Displayname template for FB/IG users. Available variables:
    #  .DisplayName - The display name set by the user.
    #  .Username - The username set by the user.
    #  .ID - The internal user ID of the user.
    displayname_template: {{ matrix_mautrix_meta_instagram_bridge_displayname_template | to_json }}
    # Static proxy address (HTTP or SOCKS5) for connecting to Meta.
    proxy:
    # HTTP endpoint to request new proxy address from, for dynamically assigned proxies.
    # The endpoint must return a JSON body with a string field called proxy_url.
    get_proxy_from:
    # Minimum interval between full reconnects in seconds, default is 1 hour
    min_full_reconnect_interval_seconds: 3600
    # Interval to force refresh the connection (full reconnect), default is 20 hours. Set 0 to disable force refreshes.
    force_refresh_interval_seconds: 72000
    # Disable fetching XMA media (reels, stories, etc) when backfilling.
    disable_xma_backfill: true
    # Disable fetching XMA media entirely.
    disable_xma_always: false
 # Config options that affect the central bridge module.
 bridge:
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: {{ matrix_mautrix_meta_instagram_bridge_command_prefix | to_json }}
    # Should the bridge create a space for each login containing the rooms that account is in?
    personal_filtering_spaces: {{ matrix_mautrix_meta_instagram_bridge_personal_filtering_spaces | to_json }}
    # Whether the bridge should set names and avatars explicitly for DM portals.
    # This is only necessary when using clients that don't support MSC4171.
    private_chat_portal_meta: false
    # Should events be handled asynchronously within portal rooms?
    # If true, events may end up being out of order, but slow events won't block other ones.
    async_events: false
    # Should every user have their own portals rather than sharing them?
    # By default, users who are in the same group on the remote network will be
    # in the same Matrix room bridged to that group. If this is set to true,
    # every user will get their own Matrix room instead.
    split_portals: false
    # Should the bridge resend `m.bridge` events to all portals on startup?
    resend_bridge_info: false
    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
    bridge_matrix_leave: false
    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
    tag_only_on_create: true
    # Should room mute status only be synced when creating the portal?
    # Like tags, mutes can't currently be synced back to the remote network.
    mute_only_on_create: true
    # What should be done to portal rooms when a user logs out or is logged out?
    # Permitted values:
    #   nothing - Do nothing, let the user stay in the portals
    #   kick - Remove the user from the portal rooms, but don't delete them
    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
    #   delete - Remove all ghosts and users from the room (i.e. delete it)
    cleanup_on_logout:
        # Should cleanup on logout be enabled at all?
        enabled: false
        # Settings for manual logouts (explicitly initiated by the Matrix user)
        manual:
            # Action for private portals which will never be shared with other Matrix users.
            private: nothing
            # Action for portals with a relay user configured.
            relayed: nothing
            # Action for portals which may be shared, but don't currently have any other Matrix users.
            shared_no_users: nothing
            # Action for portals which have other logged-in Matrix users.
            shared_has_users: nothing
        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
        # Keys have the same meanings as in the manual section.
        bad_credentials:
            private: nothing
            relayed: nothing
            shared_no_users: nothing
            shared_has_users: nothing
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: {{ matrix_mautrix_meta_instagram_bridge_relay_enabled | to_json }}
        # Should only admins be allowed to set themselves as relay users?
        # If true, non-admins can only set users listed in default_relays as relays in a room.
        admin_only: {{ matrix_mautrix_meta_instagram_bridge_relay_admin_only | to_json }}
        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
        default_relays: {{ matrix_mautrix_meta_instagram_bridge_relay_default_relays | to_json }}
        # The formats to use when sending messages via the relaybot.
        # Available variables:
        #   .Sender.UserID - The Matrix user ID of the sender.
        #   .Sender.Displayname - The display name of the sender (if set).
        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
        #                               plus the user ID in parentheses if the displayname is not unique.
        #                               If the displayname is not set, this is just the user ID.
        #   .Message - The `formatted_body` field of the message.
        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
        #   .FileName - The name of the file being sent.
        message_formats:
            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
        # Note that you need to manually remove the displayname from message_formats above.
        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    # commands - Access to use commands in the bridge, but not login.
    #     user - Access to use the bridge with puppeting.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_meta_instagram_bridge_permissions | to_json }}
 # Config for the bridge's database.
 database:
    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
    type: {{ matrix_mautrix_meta_instagram_appservice_database_type | to_json }}
    # The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri: {{ matrix_mautrix_meta_instagram_appservice_database_uri | to_json }}
    # Maximum number of connections.
    max_open_conns: 5
    max_idle_conns: 1
    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
    # but https also works if they run on different machines.
    address: {{ matrix_mautrix_meta_instagram_homeserver_address | to_json }}
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: {{ matrix_mautrix_meta_instagram_homeserver_domain | to_json }}
@ -10,11 +171,15 @@ homeserver:
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's meta connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
-    status_endpoint: null
+    status_endpoint:
    # Endpoint for reporting per-message status.
-    message_send_checkpoint_endpoint: null
+    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
@ -26,33 +191,19 @@ homeserver:
    ping_interval_seconds: 0
 # Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
+# Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_meta_instagram_appservice_address | to_json }}
    # A public address that external services can use to reach this appservice.
    # This value doesn't affect the registration file.
    public_address: https://bridge.example.com
    # The hostname and port where this appservice should listen.
    # For Docker, you generally have to change the hostname to 0.0.0.0.
    hostname: 0.0.0.0
    port: 29319
    # Database config.
    database:
        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
        type: {{ matrix_mautrix_meta_instagram_appservice_database_type | to_json }}
        # The database URI.
        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
        uri: {{ matrix_mautrix_meta_instagram_appservice_database_uri | to_json }}
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
        # Parsed with https://pkg.go.dev/time#ParseDuration
        max_conn_idle_time: null
        max_conn_lifetime: null
    # The unique ID of this appservice.
    id: {{ matrix_mautrix_meta_instagram_appservice_id | to_json }}
    # Appservice bot details.
@ -62,268 +213,225 @@ appservice:
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: {{ matrix_mautrix_meta_instagram_appservice_displayname | to_json }}
        # You can use mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv for an Instagram avatar,
        # or mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak for Facebook Messenger
        avatar: {{ matrix_mautrix_meta_instagram_appservice_avatar | to_json }}
-    # Whether or not to receive ephemeral events via appservice transactions.
+    # Whether to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
    ephemeral_events: true
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    # This value doesn't affect the registration file.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: {{ matrix_mautrix_meta_instagram_appservice_token | to_json }}
    hs_token: {{ matrix_mautrix_meta_instagram_homeserver_token | to_json }}
-# Prometheus config.
+    # Localpart template of MXIDs for remote users.
-metrics:
+    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the user.
    # Enable prometheus metrics?
    enabled: {{ matrix_mautrix_meta_instagram_metrics_enabled | to_json }}
    # IP and port where the metrics listener should be. The path is always /metrics
    listen: "0.0.0.0.0:8000"
 meta:
    # Which service is this bridge for? Available options:
    # * facebook - connect to FB Messenger via facebook.com
    # * facebook-tor - connect to FB Messenger via facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
    #                  (note: does not currently proxy media downloads)
    # * messenger - connect to FB Messenger via messenger.com (can be used with the facebook side deactivated)
    # * instagram - connect to Instagram DMs via instagram.com
    #
    # Remember to change the appservice id, bot profile info, bridge username_template and management_room_text too.
    mode: {{ matrix_mautrix_meta_instagram_meta_mode | to_json }}
    # When in Instagram mode, should the bridge connect to WhatsApp servers for encrypted chats?
    # In FB/Messenger mode encryption is always enabled, this option only affects Instagram mode.
    ig_e2ee: {{ matrix_mautrix_meta_instagram_meta_ig_e2ee | to_json }}
    # Static proxy address (HTTP or SOCKS5) for connecting to Meta.
    proxy:
    # HTTP endpoint to request new proxy address from, for dynamically assigned proxies.
    # The endpoint must return a JSON body with a string field called proxy_url.
    get_proxy_from:
 # Bridge config
 bridge:
    # Localpart template of MXIDs for FB/IG users.
    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the FB/IG user.
    username_template: {{ matrix_mautrix_meta_instagram_bridge_username_template | to_json }}
    # Displayname template for FB/IG users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
    # {% raw %}{{.DisplayName}}{% endraw %} - The display name set by the user.
    # {% raw %}{{.Username}}{% endraw %} - The username set by the user.
    # {% raw %}{{.ID}}{% endraw %} - The internal user ID of the user.
    displayname_template: {{ matrix_mautrix_meta_instagram_bridge_displayname_template | to_json }}
    # Whether to explicitly set the avatar and room name for private chat portal rooms.
    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
    # If set to `always`, all DM rooms will have explicit names and avatars set.
    # If set to `never`, DM rooms will never have names and avatars set.
    private_chat_portal_meta: default
-    portal_message_buffer: 128
+# Config options that affect the Matrix connector of the bridge.
-
+matrix:
    # Should the bridge create a space for each logged-in user and add bridged rooms to it?
    # Users who logged in before turning this on should run `!meta sync-space` to create and fill the space for the first time.
    personal_filtering_spaces: {{ matrix_mautrix_meta_instagram_bridge_personal_filtering_spaces | to_json }}
    # Should Matrix m.notice-type messages be bridged?
    bridge_notices: true
    # Should the bridge send a read receipt from the bridge bot when a message has been sent to FB/IG?
    delivery_receipts: false
    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # Whether the bridge should send a read receipt after successfully bridging a message.
    delivery_receipts: false
    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
-    # Should the bridge never send alerts to the bridge management room?
+    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
    # These are mostly things like the user being logged out.
    disable_bridge_alerts: false
    # Should the bridge update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic and is therefore prone to race conditions.
    sync_direct_chat_list: false
-    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # Whether created rooms should have federation enabled. If false, created portal rooms
-    # This field will automatically be changed back to false after it, except if the config file is not writable.
+    # will never be federated. Changing this option requires recreating rooms.
    resend_bridge_info: false
    # Send captions in the same message as images. This will send data compatible with both MSC2530.
    # This is currently not supported in most clients.
    caption_in_message: false
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: {{ matrix_mautrix_meta_instagram_bridge_federate_rooms | to_json }}
-    # Should mute status be bridged? Allowed options: always, on-create, never
+    # The threshold as bytes after which the bridge should roundtrip uploads via the disk
-    mute_bridging: on-create
+    # rather than keeping the whole file in memory.
-    # Servers to always allow double puppeting from
+    upload_file_threshold: 5242880
-    double_puppet_server_map: {}
+
-    # Allow using double puppeting from any server with a valid client .well-known file.
+# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
-    double_puppet_allow_discovery: false
+analytics:
-    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    # API key to send with tracking requests. Tracking is disabled if this is null.
    token: null
    # Address to send tracking requests to.
    url: https://api.segment.io/v1/track
    # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
    user_id: null
 # Settings for provisioning API
 provisioning:
    # Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: disable
    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
    # This follows the same rules as double puppeting to determine which server to contact to check the token,
    # which means that by default, it only works for users on the same server as the bridge.
    allow_matrix_auth: true
    # Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false
 # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
 # These settings control whether the bridge will provide such public media access.
 public_media:
    # Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: false
    # A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: {{ matrix_mautrix_meta_instagram_public_media_signing_key | to_json }}
    # Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: 0
    # Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: 32
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
 direct_media:
    # Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: media.example.com
    # Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: ""
 # Settings for backfilling messages.
 # Note that the exact way settings are applied depends on the network connector.
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
    enabled: {{ matrix_mautrix_meta_instagram_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
    max_initial_messages: {{ matrix_mautrix_meta_instagram_backfill_max_initial_messages | to_json}}
    # Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: {{ matrix_mautrix_meta_instagram_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: {{ matrix_mautrix_meta_instagram_backfill_unread_hours_threshold | to_json }}
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
        max_initial_messages: {{ matrix_mautrix_meta_instagram_backfill_threads_max_initial_messages | to_json }}
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # Should the backfill queue be enabled?
        enabled: false
        # Number of messages to backfill in one batch.
        batch_size: 100
        # Delay between batches in seconds.
        batch_delay: 20
        # Maximum number of batches to backfill per portal.
        # If set to -1, all available messages will be backfilled.
        max_batches: -1
        # Optional network-specific overrides for max batches.
        # Interpretation of this field depends on the network connector.
        max_batches_override: {}
 # Settings for enabling double puppeting
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers: {}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets: {{ matrix_mautrix_meta_instagram_double_puppet_secrets | to_json }}
 # End-to-bridge encryption support options.
 #
 # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
 encryption:
    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
    allow: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow | to_json }}
    # Whether to force-enable encryption in all bridged rooms.
    default: {{ matrix_mautrix_meta_instagram_bridge_encryption_default | to_json }}
    # Whether to require all messages to be encrypted and drop any unencrypted messages.
    require: {{ matrix_mautrix_meta_instagram_bridge_encryption_require | to_json }}
    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
    appservice: {{ matrix_mautrix_meta_instagram_bridge_encryption_appservice | to_json }}
    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing | to_json }}
    # Pickle key for encrypting encryption keys in the bridge database.
    # If set to generate, a random key will be generated.
    pickle_key: mautrix.bridge.e2ee
    # Options for deleting megolm sessions from the bridge.
    delete_keys:
        # Beeper-specific: delete outbound sessions when hungryserv confirms
        # that the user has uploaded the key to key backup.
        delete_outbound_on_ack: false
        # Don't store outbound sessions in the inbound table.
        dont_store_outbound: false
        # Ratchet megolm sessions forward after decrypting messages.
        ratchet_on_decrypt: false
        # Delete fully used keys (index >= max_messages) after decrypting messages.
        delete_fully_used_on_decrypt: false
        # Delete previous megolm sessions from same device when receiving a new one.
        delete_prev_on_new_session: false
        # Delete megolm sessions received from a device when the device is deleted.
        delete_on_device_delete: false
        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
        periodically_delete_expired: false
        # Delete inbound megolm sessions that don't have the received_at field used for
        # automatic ratcheting and expired session deletion. This is meant as a migration
        # to delete old keys prior to the bridge update.
        delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
-    # If set, double puppeting will be enabled automatically for local users
+    # Valid levels:
-    # instead of users having to find an access token and run `login-matrix`
+    #   unverified - Send keys to all device in the room.
-    # manually.
+    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-    login_shared_secret_map: {{ matrix_mautrix_meta_instagram_bridge_login_shared_secret_map | to_json }}
+    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-
+    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-    # The prefix for commands. Only required in non-management rooms.
+    #                           Note that creating user signatures from the bridge bot is not currently possible.
-    # If set to "default", will be determined based on meta -> mode, "!ig" for instagram and "!fb" for facebook
+    #   verified - Require manual per-device verification
-    command_prefix: {{ matrix_mautrix_meta_instagram_bridge_command_prefix | to_json }}
+    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-
+    verification_levels:
-    backfill:
+        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
-        # If disabled, old messages will never be bridged.
+        receive: unverified
-        enabled: true
+        # Minimum level that the bridge should accept for incoming Matrix messages.
-        # By default, Meta sends info about approximately 20 recent threads. If this is set to something else than 0,
+        send: unverified
-        # the bridge will request more threads on first login, until it reaches the specified number of pages
+        # Minimum level that the bridge should require for accepting key requests.
-        # or the end of the inbox.
+        share: cross-signed-tofu
-        inbox_fetch_pages: 0
+    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
-        # By default, Meta only sends one old message per thread. If this is set to a something else than 0,
+    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
-        # the bridge will delay handling the one automatically received message and request more messages to backfill.
+    rotation:
-        # One page usually contains 20 messages. This can technically be set to -1 to fetch all messages,
+        # Enable custom Megolm room key rotation settings. Note that these
-        # but that will block bridging messages until the entire backfill is completed.
+        # settings will only apply to rooms created after this option is set.
-        history_fetch_pages: 0
+        enable_custom: false
-        # Same as above, but for catchup backfills (i.e. when the bridge is restarted).
+        # The maximum number of milliseconds a session should be used
-        catchup_fetch_pages: 5
+        # before changing it. The Matrix spec recommends 604800000 (a week)
-        # Maximum age of chats to leave as unread when backfilling. 0 means all chats can be left as unread.
+        # as the default.
-        # If non-zero, chats that are older than this will be marked as read, even if they're still unread on Meta.
+        milliseconds: 604800000
-        unread_hours_threshold: 0
+        # The maximum number of messages that should be sent with a given a
-        # Backfill queue settings. Only relevant for Beeper, because standard Matrix servers
+        # session before changing it. The Matrix spec recommends 100 as the
-        # don't support inserting messages into room history.
+        # default.
-        queue:
+        messages: 100
-            # How many pages of messages to request in one go (without sleeping between requests)?
+        # Disable rotating keys when a user's devices change?
-            pages_at_once: 5
+        # You should not enable this option unless you understand all the implications.
-            # Maximum number of pages to fetch. -1 to fetch all pages until the start of the chat.
+        disable_device_change_key_rotation: false
            max_pages: -1
            # How long to sleep after fetching a bunch of pages ("bunch" defined by pages_at_once).
            sleep_between_tasks: 20s
            # Disable fetching XMA media (reels, stories, etc) when backfilling.
            dont_fetch_xma: true
    # Messages sent upon joining a management room.
    # Markdown is supported. The defaults are listed below.
    management_room_text:
        # Sent when joining a room.
        welcome: {{ matrix_mautrix_meta_instagram_bridge_management_room_text_welcome | to_json }}
        # Sent when joining a management room and the user is already logged in.
        welcome_connected: "Use `help` for help."
        # Sent when joining a management room and the user is not logged in.
        welcome_unconnected: "Use `help` for help or `login` to log in."
        # Optional extra text sent when joining a management room.
        additional_help: ""
    # End-to-bridge encryption support options.
    #
    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow | to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: {{ matrix_mautrix_meta_instagram_bridge_encryption_default | to_json }}
        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
        appservice: {{ matrix_mautrix_meta_instagram_bridge_encryption_appservice | to_json }}
        # Require encryption, drop any unencrypted messages.
        require: {{ matrix_mautrix_meta_instagram_bridge_encryption_require | to_json }}
        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
        # You must use a client that supports requesting keys from other users to use this feature.
        allow_key_sharing: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing | to_json }}
        # Options for deleting megolm sessions from the bridge.
        delete_keys:
            # Beeper-specific: delete outbound sessions when hungryserv confirms
            # that the user has uploaded the key to key backup.
            delete_outbound_on_ack: false
            # Don't store outbound sessions in the inbound table.
            dont_store_outbound: false
            # Ratchet megolm sessions forward after decrypting messages.
            ratchet_on_decrypt: false
            # Delete fully used keys (index >= max_messages) after decrypting messages.
            delete_fully_used_on_decrypt: false
            # Delete previous megolm sessions from same device when receiving a new one.
            delete_prev_on_new_session: false
            # Delete megolm sessions received from a device when the device is deleted.
            delete_on_device_delete: false
            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
            periodically_delete_expired: false
            # Delete inbound megolm sessions that don't have the received_at field used for
            # automatic ratcheting and expired session deletion. This is meant as a migration
            # to delete old keys prior to the bridge update.
            delete_outdated_inbound: false
        # What level of device verification should be required from users?
        #
        # Valid levels:
        #   unverified - Send keys to all device in the room.
        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
        #                           Note that creating user signatures from the bridge bot is not currently possible.
        #   verified - Require manual per-device verification
        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
        verification_levels:
            # Minimum level for which the bridge should send keys to when bridging messages from FB/IG to Matrix.
            receive: unverified
            # Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu
        # Options for Megolm room key rotation. These options allow you to
        # configure the m.room.encryption event content. See:
        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
        # more information about that event.
        rotation:
            # Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100
            # Disable rotating keys when a user's devices change?
            # You should not enable this option unless you understand all the implications.
            disable_device_change_key_rotation: false
    # Settings for provisioning API
    provisioning:
        # Prefix for the provisioning API paths.
        prefix: /_matrix/provision
        # Shared secret for authentication. If set to "generate", a random secret will be generated,
        # or if set to "disable", the provisioning API will be disabled.
        shared_secret: disable
        # Enable debug API at /debug with provisioning authentication.
        debug_endpoints: false
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    #     user - Access to use the bridge to chat with a Meta account.
    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_meta_instagram_bridge_permissions | to_json }}
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: {{ matrix_mautrix_meta_instagram_bridge_relay_enabled | to_json }}
        # Should only admins be allowed to set themselves as relay users?
        admin_only: {{ matrix_mautrix_meta_instagram_bridge_relay_admin_only | to_json }}
        # The formats to use when sending messages to Meta via the relaybot.
        message_formats:
            m.text: "{% raw %}{{ .Sender.Displayname }}: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}{{ .Sender.Displayname }}: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* {{ .Sender.Displayname }} {{ .Message }}{% endraw %}"
            m.file: "{% raw %}{{ .Sender.Displayname }} sent a file{% endraw %}"
            m.image: "{% raw %}{{ .Sender.Displayname }} sent an image{% endraw %}"
            m.audio: "{% raw %}{{ .Sender.Displayname }} sent an audio file{% endraw %}"
            m.video: "{% raw %}{{ .Sender.Displayname }} sent a video{% endraw %}"
            m.location: "{% raw %}{{ .Sender.Displayname }} sent a location{% endraw %}"
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
    min_level: {{ matrix_mautrix_meta_instagram_logging_min_level | to_json }}
    writers:
-    - type: stdout
+        - type: stdout
-      format: pretty
+          format: pretty
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
@ -13,7 +13,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.3.2
+matrix_mautrix_meta_messenger_version: v0.4.0
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
@ -214,9 +214,9 @@ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing: "{{ matrix_ma
 matrix_mautrix_meta_messenger_bridge_encryption_appservice: false
 matrix_mautrix_meta_messenger_bridge_encryption_require: false
-matrix_mautrix_meta_messenger_bridge_login_shared_secret_map: "{{ matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto | combine(matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_custom) }}"
+matrix_mautrix_meta_messenger_double_puppet_secrets: "{{ matrix_mautrix_meta_messenger_double_puppet_secrets_auto | combine(matrix_mautrix_meta_messenger_double_puppet_secrets_custom) }}"
-matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_auto: {}
+matrix_mautrix_meta_messenger_double_puppet_secrets_auto: {}
-matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_custom: {}
+matrix_mautrix_meta_messenger_double_puppet_secrets_custom: {}
 matrix_mautrix_meta_messenger_bridge_permissions: "{{ matrix_mautrix_meta_messenger_bridge_permissions_default | combine(matrix_mautrix_meta_messenger_bridge_permissions_custom) }}"
@ -231,16 +231,15 @@ matrix_mautrix_meta_messenger_bridge_permissions_custom: {}
 # Enable bridge relay bot functionality
 matrix_mautrix_meta_messenger_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
 matrix_mautrix_meta_messenger_bridge_relay_admin_only: true
 matrix_mautrix_meta_messenger_bridge_relay_default_relays: []
-matrix_mautrix_meta_messenger_bridge_management_room_text_welcome: |-
+matrix_mautrix_meta_messenger_backfill_enabled: true
-  {{
+matrix_mautrix_meta_messenger_backfill_max_initial_messages: 50
-    ({
+matrix_mautrix_meta_messenger_backfill_max_catchup_messages: 500
-      'facebook': "Hello, I'm a Facebook bridge bot.",
+matrix_mautrix_meta_messenger_backfill_unread_hours_threshold: 720
-      'facebook-tor': "Hello, I'm a Facebook bridge bot which uses Tor.",
+matrix_mautrix_meta_messenger_backfill_threads_max_initial_messages: 50
-      'messenger': "Hello, I'm a Messenger bridge bot.",
+
-      'instagram': "Hello, I'm an Instagram bridge bot.",
+matrix_mautrix_meta_messenger_public_media_signing_key: ''
    })[matrix_mautrix_meta_messenger_meta_mode]
  }}
 # Specifies the default log level.
 # This bridge uses zerolog, so valid levels are: panic, fatal, error, warn, info, debug, trace
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/tasks/validate_config.yml
@ -23,3 +23,5 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_mautrix_meta_messenger_bridge_login_shared_secret', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_meta_messenger_bridge_login_shared_secret_map_custom', 'new': '<superseded by matrix_mautrix_meta_messenger_double_puppet_secrets_custom>'}
    - {'old': 'matrix_mautrix_meta_messenger_bridge_management_room_text_welcome', 'new': '<removed>'}
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
@ -1,7 +1,168 @@
 #jinja2: lstrip_blocks: "True"
 # Network-specific config options
 network:
    # Which service is this bridge for? Available options:
    # * unset - allow users to pick any service when logging in (except facebook-tor)
    # * facebook - connect to FB Messenger via facebook.com
    # * facebook-tor - connect to FB Messenger via facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
    #                  (note: does not currently proxy media downloads)
    # * messenger - connect to FB Messenger via messenger.com (can be used with the facebook side deactivated)
    # * instagram - connect to Instagram DMs via instagram.com
    #
    # Remember to change the appservice id, bot profile info, bridge username_template and management_room_text too.
    mode: {{ matrix_mautrix_meta_messenger_meta_mode | to_json }}
    # When in Instagram mode, should the bridge connect to WhatsApp servers for encrypted chats?
    # In FB/Messenger mode encryption is always enabled, this option only affects Instagram mode.
    ig_e2ee: {{ matrix_mautrix_meta_messenger_meta_ig_e2ee | to_json }}
    # Displayname template for FB/IG users. Available variables:
    #  .DisplayName - The display name set by the user.
    #  .Username - The username set by the user.
    #  .ID - The internal user ID of the user.
    displayname_template: {{ matrix_mautrix_meta_messenger_bridge_displayname_template | to_json }}
    # Static proxy address (HTTP or SOCKS5) for connecting to Meta.
    proxy:
    # HTTP endpoint to request new proxy address from, for dynamically assigned proxies.
    # The endpoint must return a JSON body with a string field called proxy_url.
    get_proxy_from:
    # Minimum interval between full reconnects in seconds, default is 1 hour
    min_full_reconnect_interval_seconds: 3600
    # Interval to force refresh the connection (full reconnect), default is 20 hours. Set 0 to disable force refreshes.
    force_refresh_interval_seconds: 72000
    # Disable fetching XMA media (reels, stories, etc) when backfilling.
    disable_xma_backfill: true
    # Disable fetching XMA media entirely.
    disable_xma_always: false
 # Config options that affect the central bridge module.
 bridge:
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: {{ matrix_mautrix_meta_messenger_bridge_command_prefix | to_json }}
    # Should the bridge create a space for each login containing the rooms that account is in?
    personal_filtering_spaces: {{ matrix_mautrix_meta_messenger_bridge_personal_filtering_spaces | to_json }}
    # Whether the bridge should set names and avatars explicitly for DM portals.
    # This is only necessary when using clients that don't support MSC4171.
    private_chat_portal_meta: false
    # Should events be handled asynchronously within portal rooms?
    # If true, events may end up being out of order, but slow events won't block other ones.
    async_events: false
    # Should every user have their own portals rather than sharing them?
    # By default, users who are in the same group on the remote network will be
    # in the same Matrix room bridged to that group. If this is set to true,
    # every user will get their own Matrix room instead.
    split_portals: false
    # Should the bridge resend `m.bridge` events to all portals on startup?
    resend_bridge_info: false
    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
    bridge_matrix_leave: false
    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
    tag_only_on_create: true
    # Should room mute status only be synced when creating the portal?
    # Like tags, mutes can't currently be synced back to the remote network.
    mute_only_on_create: true
    # What should be done to portal rooms when a user logs out or is logged out?
    # Permitted values:
    #   nothing - Do nothing, let the user stay in the portals
    #   kick - Remove the user from the portal rooms, but don't delete them
    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
    #   delete - Remove all ghosts and users from the room (i.e. delete it)
    cleanup_on_logout:
        # Should cleanup on logout be enabled at all?
        enabled: false
        # Settings for manual logouts (explicitly initiated by the Matrix user)
        manual:
            # Action for private portals which will never be shared with other Matrix users.
            private: nothing
            # Action for portals with a relay user configured.
            relayed: nothing
            # Action for portals which may be shared, but don't currently have any other Matrix users.
            shared_no_users: nothing
            # Action for portals which have other logged-in Matrix users.
            shared_has_users: nothing
        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
        # Keys have the same meanings as in the manual section.
        bad_credentials:
            private: nothing
            relayed: nothing
            shared_no_users: nothing
            shared_has_users: nothing
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: {{ matrix_mautrix_meta_messenger_bridge_relay_enabled | to_json }}
        # Should only admins be allowed to set themselves as relay users?
        # If true, non-admins can only set users listed in default_relays as relays in a room.
        admin_only: {{ matrix_mautrix_meta_messenger_bridge_relay_admin_only | to_json }}
        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
        default_relays: {{ matrix_mautrix_meta_messenger_bridge_relay_default_relays | to_json }}
        # The formats to use when sending messages via the relaybot.
        # Available variables:
        #   .Sender.UserID - The Matrix user ID of the sender.
        #   .Sender.Displayname - The display name of the sender (if set).
        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
        #                               plus the user ID in parentheses if the displayname is not unique.
        #                               If the displayname is not set, this is just the user ID.
        #   .Message - The `formatted_body` field of the message.
        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
        #   .FileName - The name of the file being sent.
        message_formats:
            m.text: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}{% endraw %}"
            m.file: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.image: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.audio: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.video: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
            m.location: "{% raw %}<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}{% endraw %}"
        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
        # Note that you need to manually remove the displayname from message_formats above.
        displayname_format: "{% raw %}{{ .DisambiguatedName }}{% endraw %}"
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    # commands - Access to use commands in the bridge, but not login.
    #     user - Access to use the bridge with puppeting.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_meta_messenger_bridge_permissions | to_json }}
 # Config for the bridge's database.
 database:
    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
    type: {{ matrix_mautrix_meta_messenger_appservice_database_type | to_json }}
    # The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri: {{ matrix_mautrix_meta_messenger_appservice_database_uri | to_json }}
    # Maximum number of connections.
    max_open_conns: 5
    max_idle_conns: 1
    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
    # but https also works if they run on different machines.
    address: {{ matrix_mautrix_meta_messenger_homeserver_address | to_json }}
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: {{ matrix_mautrix_meta_messenger_homeserver_domain | to_json }}
@ -10,11 +171,15 @@ homeserver:
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's meta connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
-    status_endpoint: null
+    status_endpoint:
    # Endpoint for reporting per-message status.
-    message_send_checkpoint_endpoint: null
+    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
@ -26,33 +191,19 @@ homeserver:
    ping_interval_seconds: 0
 # Application service host/registration related details.
-# Changing these values requires regeneration of the registration.
+# Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_meta_messenger_appservice_address | to_json }}
    # A public address that external services can use to reach this appservice.
    # This value doesn't affect the registration file.
    public_address: https://bridge.example.com
    # The hostname and port where this appservice should listen.
    # For Docker, you generally have to change the hostname to 0.0.0.0.
    hostname: 0.0.0.0
    port: 29319
    # Database config.
    database:
        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
        type: {{ matrix_mautrix_meta_messenger_appservice_database_type | to_json }}
        # The database URI.
        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
        uri: {{ matrix_mautrix_meta_messenger_appservice_database_uri | to_json }}
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
        # Parsed with https://pkg.go.dev/time#ParseDuration
        max_conn_idle_time: null
        max_conn_lifetime: null
    # The unique ID of this appservice.
    id: {{ matrix_mautrix_meta_messenger_appservice_id | to_json }}
    # Appservice bot details.
@ -62,268 +213,225 @@ appservice:
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: {{ matrix_mautrix_meta_messenger_appservice_displayname | to_json }}
        # You can use mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv for an Instagram avatar,
        # or mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak for Facebook Messenger
        avatar: {{ matrix_mautrix_meta_messenger_appservice_avatar | to_json }}
-    # Whether or not to receive ephemeral events via appservice transactions.
+    # Whether to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
    ephemeral_events: true
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    # This value doesn't affect the registration file.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: {{ matrix_mautrix_meta_messenger_appservice_token | to_json }}
    hs_token: {{ matrix_mautrix_meta_messenger_homeserver_token | to_json }}
-# Prometheus config.
+    # Localpart template of MXIDs for remote users.
-metrics:
+    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the user.
    # Enable prometheus metrics?
    enabled: {{ matrix_mautrix_meta_messenger_metrics_enabled | to_json }}
    # IP and port where the metrics listener should be. The path is always /metrics
    listen: "0.0.0.0.0:8000"
 meta:
    # Which service is this bridge for? Available options:
    # * facebook - connect to FB Messenger via facebook.com
    # * facebook-tor - connect to FB Messenger via facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
    #                  (note: does not currently proxy media downloads)
    # * messenger - connect to FB Messenger via messenger.com (can be used with the facebook side deactivated)
    # * instagram - connect to Instagram DMs via instagram.com
    #
    # Remember to change the appservice id, bot profile info, bridge username_template and management_room_text too.
    mode: {{ matrix_mautrix_meta_messenger_meta_mode | to_json }}
    # When in Instagram mode, should the bridge connect to WhatsApp servers for encrypted chats?
    # In FB/Messenger mode encryption is always enabled, this option only affects Instagram mode.
    ig_e2ee: {{ matrix_mautrix_meta_messenger_meta_ig_e2ee | to_json }}
    # Static proxy address (HTTP or SOCKS5) for connecting to Meta.
    proxy:
    # HTTP endpoint to request new proxy address from, for dynamically assigned proxies.
    # The endpoint must return a JSON body with a string field called proxy_url.
    get_proxy_from:
 # Bridge config
 bridge:
    # Localpart template of MXIDs for FB/IG users.
    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the FB/IG user.
    username_template: {{ matrix_mautrix_meta_messenger_bridge_username_template | to_json }}
    # Displayname template for FB/IG users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
    # {% raw %}{{.DisplayName}}{% endraw %} - The display name set by the user.
    # {% raw %}{{.Username}}{% endraw %} - The username set by the user.
    # {% raw %}{{.ID}}{% endraw %} - The internal user ID of the user.
    displayname_template: {{ matrix_mautrix_meta_messenger_bridge_displayname_template | to_json }}
    # Whether to explicitly set the avatar and room name for private chat portal rooms.
    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
    # If set to `always`, all DM rooms will have explicit names and avatars set.
    # If set to `never`, DM rooms will never have names and avatars set.
    private_chat_portal_meta: default
-    portal_message_buffer: 128
+# Config options that affect the Matrix connector of the bridge.
-
+matrix:
    # Should the bridge create a space for each logged-in user and add bridged rooms to it?
    # Users who logged in before turning this on should run `!meta sync-space` to create and fill the space for the first time.
    personal_filtering_spaces: {{ matrix_mautrix_meta_messenger_bridge_personal_filtering_spaces | to_json }}
    # Should Matrix m.notice-type messages be bridged?
    bridge_notices: true
    # Should the bridge send a read receipt from the bridge bot when a message has been sent to FB/IG?
    delivery_receipts: false
    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # Whether the bridge should send a read receipt after successfully bridging a message.
    delivery_receipts: false
    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
-    # Should the bridge never send alerts to the bridge management room?
+    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
    # These are mostly things like the user being logged out.
    disable_bridge_alerts: false
    # Should the bridge update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic and is therefore prone to race conditions.
    sync_direct_chat_list: false
-    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # Whether created rooms should have federation enabled. If false, created portal rooms
-    # This field will automatically be changed back to false after it, except if the config file is not writable.
+    # will never be federated. Changing this option requires recreating rooms.
    resend_bridge_info: false
    # Send captions in the same message as images. This will send data compatible with both MSC2530.
    # This is currently not supported in most clients.
    caption_in_message: false
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: {{ matrix_mautrix_meta_messenger_bridge_federate_rooms | to_json }}
-    # Should mute status be bridged? Allowed options: always, on-create, never
+    # The threshold as bytes after which the bridge should roundtrip uploads via the disk
-    mute_bridging: on-create
+    # rather than keeping the whole file in memory.
-    # Servers to always allow double puppeting from
+    upload_file_threshold: 5242880
-    double_puppet_server_map: {}
+
-    # Allow using double puppeting from any server with a valid client .well-known file.
+# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
-    double_puppet_allow_discovery: false
+analytics:
-    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    # API key to send with tracking requests. Tracking is disabled if this is null.
    token: null
    # Address to send tracking requests to.
    url: https://api.segment.io/v1/track
    # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
    user_id: null
 # Settings for provisioning API
 provisioning:
    # Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: disable
    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
    # This follows the same rules as double puppeting to determine which server to contact to check the token,
    # which means that by default, it only works for users on the same server as the bridge.
    allow_matrix_auth: true
    # Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false
 # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
 # These settings control whether the bridge will provide such public media access.
 public_media:
    # Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: false
    # A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: {{ matrix_mautrix_meta_messenger_public_media_signing_key | to_json }}
    # Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: 0
    # Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: 32
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
 direct_media:
    # Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: media.example.com
    # Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: ""
 # Settings for backfilling messages.
 # Note that the exact way settings are applied depends on the network connector.
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
    enabled: {{ matrix_mautrix_meta_messenger_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
    max_initial_messages: {{ matrix_mautrix_meta_messenger_backfill_max_initial_messages | to_json}}
    # Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: {{ matrix_mautrix_meta_messenger_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: {{ matrix_mautrix_meta_messenger_backfill_unread_hours_threshold | to_json }}
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
        max_initial_messages: {{ matrix_mautrix_meta_messenger_backfill_threads_max_initial_messages | to_json }}
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # Should the backfill queue be enabled?
        enabled: false
        # Number of messages to backfill in one batch.
        batch_size: 100
        # Delay between batches in seconds.
        batch_delay: 20
        # Maximum number of batches to backfill per portal.
        # If set to -1, all available messages will be backfilled.
        max_batches: -1
        # Optional network-specific overrides for max batches.
        # Interpretation of this field depends on the network connector.
        max_batches_override: {}
 # Settings for enabling double puppeting
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers: {}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets: {{ matrix_mautrix_meta_messenger_double_puppet_secrets | to_json }}
 # End-to-bridge encryption support options.
 #
 # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
 encryption:
    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
    allow: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow | to_json }}
    # Whether to force-enable encryption in all bridged rooms.
    default: {{ matrix_mautrix_meta_messenger_bridge_encryption_default | to_json }}
    # Whether to require all messages to be encrypted and drop any unencrypted messages.
    require: {{ matrix_mautrix_meta_messenger_bridge_encryption_require | to_json }}
    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
    appservice: {{ matrix_mautrix_meta_messenger_bridge_encryption_appservice | to_json }}
    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing | to_json }}
    # Pickle key for encrypting encryption keys in the bridge database.
    # If set to generate, a random key will be generated.
    pickle_key: mautrix.bridge.e2ee
    # Options for deleting megolm sessions from the bridge.
    delete_keys:
        # Beeper-specific: delete outbound sessions when hungryserv confirms
        # that the user has uploaded the key to key backup.
        delete_outbound_on_ack: false
        # Don't store outbound sessions in the inbound table.
        dont_store_outbound: false
        # Ratchet megolm sessions forward after decrypting messages.
        ratchet_on_decrypt: false
        # Delete fully used keys (index >= max_messages) after decrypting messages.
        delete_fully_used_on_decrypt: false
        # Delete previous megolm sessions from same device when receiving a new one.
        delete_prev_on_new_session: false
        # Delete megolm sessions received from a device when the device is deleted.
        delete_on_device_delete: false
        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
        periodically_delete_expired: false
        # Delete inbound megolm sessions that don't have the received_at field used for
        # automatic ratcheting and expired session deletion. This is meant as a migration
        # to delete old keys prior to the bridge update.
        delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
-    # If set, double puppeting will be enabled automatically for local users
+    # Valid levels:
-    # instead of users having to find an access token and run `login-matrix`
+    #   unverified - Send keys to all device in the room.
-    # manually.
+    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-    login_shared_secret_map: {{ matrix_mautrix_meta_messenger_bridge_login_shared_secret_map | to_json }}
+    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-
+    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-    # The prefix for commands. Only required in non-management rooms.
+    #                           Note that creating user signatures from the bridge bot is not currently possible.
-    # If set to "default", will be determined based on meta -> mode, "!ig" for instagram and "!fb" for facebook
+    #   verified - Require manual per-device verification
-    command_prefix: {{ matrix_mautrix_meta_messenger_bridge_command_prefix | to_json }}
+    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-
+    verification_levels:
-    backfill:
+        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
-        # If disabled, old messages will never be bridged.
+        receive: unverified
-        enabled: true
+        # Minimum level that the bridge should accept for incoming Matrix messages.
-        # By default, Meta sends info about approximately 20 recent threads. If this is set to something else than 0,
+        send: unverified
-        # the bridge will request more threads on first login, until it reaches the specified number of pages
+        # Minimum level that the bridge should require for accepting key requests.
-        # or the end of the inbox.
+        share: cross-signed-tofu
-        inbox_fetch_pages: 0
+    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
-        # By default, Meta only sends one old message per thread. If this is set to a something else than 0,
+    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
-        # the bridge will delay handling the one automatically received message and request more messages to backfill.
+    rotation:
-        # One page usually contains 20 messages. This can technically be set to -1 to fetch all messages,
+        # Enable custom Megolm room key rotation settings. Note that these
-        # but that will block bridging messages until the entire backfill is completed.
+        # settings will only apply to rooms created after this option is set.
-        history_fetch_pages: 0
+        enable_custom: false
-        # Same as above, but for catchup backfills (i.e. when the bridge is restarted).
+        # The maximum number of milliseconds a session should be used
-        catchup_fetch_pages: 5
+        # before changing it. The Matrix spec recommends 604800000 (a week)
-        # Maximum age of chats to leave as unread when backfilling. 0 means all chats can be left as unread.
+        # as the default.
-        # If non-zero, chats that are older than this will be marked as read, even if they're still unread on Meta.
+        milliseconds: 604800000
-        unread_hours_threshold: 0
+        # The maximum number of messages that should be sent with a given a
-        # Backfill queue settings. Only relevant for Beeper, because standard Matrix servers
+        # session before changing it. The Matrix spec recommends 100 as the
-        # don't support inserting messages into room history.
+        # default.
-        queue:
+        messages: 100
-            # How many pages of messages to request in one go (without sleeping between requests)?
+        # Disable rotating keys when a user's devices change?
-            pages_at_once: 5
+        # You should not enable this option unless you understand all the implications.
-            # Maximum number of pages to fetch. -1 to fetch all pages until the start of the chat.
+        disable_device_change_key_rotation: false
            max_pages: -1
            # How long to sleep after fetching a bunch of pages ("bunch" defined by pages_at_once).
            sleep_between_tasks: 20s
            # Disable fetching XMA media (reels, stories, etc) when backfilling.
            dont_fetch_xma: true
    # Messages sent upon joining a management room.
    # Markdown is supported. The defaults are listed below.
    management_room_text:
        # Sent when joining a room.
        welcome: {{ matrix_mautrix_meta_messenger_bridge_management_room_text_welcome | to_json }}
        # Sent when joining a management room and the user is already logged in.
        welcome_connected: "Use `help` for help."
        # Sent when joining a management room and the user is not logged in.
        welcome_unconnected: "Use `help` for help or `login` to log in."
        # Optional extra text sent when joining a management room.
        additional_help: ""
    # End-to-bridge encryption support options.
    #
    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow | to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: {{ matrix_mautrix_meta_messenger_bridge_encryption_default | to_json }}
        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
        appservice: {{ matrix_mautrix_meta_messenger_bridge_encryption_appservice | to_json }}
        # Require encryption, drop any unencrypted messages.
        require: {{ matrix_mautrix_meta_messenger_bridge_encryption_require | to_json }}
        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
        # You must use a client that supports requesting keys from other users to use this feature.
        allow_key_sharing: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing | to_json }}
        # Options for deleting megolm sessions from the bridge.
        delete_keys:
            # Beeper-specific: delete outbound sessions when hungryserv confirms
            # that the user has uploaded the key to key backup.
            delete_outbound_on_ack: false
            # Don't store outbound sessions in the inbound table.
            dont_store_outbound: false
            # Ratchet megolm sessions forward after decrypting messages.
            ratchet_on_decrypt: false
            # Delete fully used keys (index >= max_messages) after decrypting messages.
            delete_fully_used_on_decrypt: false
            # Delete previous megolm sessions from same device when receiving a new one.
            delete_prev_on_new_session: false
            # Delete megolm sessions received from a device when the device is deleted.
            delete_on_device_delete: false
            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
            periodically_delete_expired: false
            # Delete inbound megolm sessions that don't have the received_at field used for
            # automatic ratcheting and expired session deletion. This is meant as a migration
            # to delete old keys prior to the bridge update.
            delete_outdated_inbound: false
        # What level of device verification should be required from users?
        #
        # Valid levels:
        #   unverified - Send keys to all device in the room.
        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
        #                           Note that creating user signatures from the bridge bot is not currently possible.
        #   verified - Require manual per-device verification
        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
        verification_levels:
            # Minimum level for which the bridge should send keys to when bridging messages from FB/IG to Matrix.
            receive: unverified
            # Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu
        # Options for Megolm room key rotation. These options allow you to
        # configure the m.room.encryption event content. See:
        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
        # more information about that event.
        rotation:
            # Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100
            # Disable rotating keys when a user's devices change?
            # You should not enable this option unless you understand all the implications.
            disable_device_change_key_rotation: false
    # Settings for provisioning API
    provisioning:
        # Prefix for the provisioning API paths.
        prefix: /_matrix/provision
        # Shared secret for authentication. If set to "generate", a random secret will be generated,
        # or if set to "disable", the provisioning API will be disabled.
        shared_secret: disable
        # Enable debug API at /debug with provisioning authentication.
        debug_endpoints: false
    # Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    #     user - Access to use the bridge to chat with a Meta account.
    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_meta_messenger_bridge_permissions | to_json }}
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: {{ matrix_mautrix_meta_messenger_bridge_relay_enabled | to_json }}
        # Should only admins be allowed to set themselves as relay users?
        admin_only: {{ matrix_mautrix_meta_messenger_bridge_relay_admin_only | to_json }}
        # The formats to use when sending messages to Meta via the relaybot.
        message_formats:
            m.text: "{% raw %}{{ .Sender.Displayname }}: {{ .Message }}{% endraw %}"
            m.notice: "{% raw %}{{ .Sender.Displayname }}: {{ .Message }}{% endraw %}"
            m.emote: "{% raw %}* {{ .Sender.Displayname }} {{ .Message }}{% endraw %}"
            m.file: "{% raw %}{{ .Sender.Displayname }} sent a file{% endraw %}"
            m.image: "{% raw %}{{ .Sender.Displayname }} sent an image{% endraw %}"
            m.audio: "{% raw %}{{ .Sender.Displayname }} sent an audio file{% endraw %}"
            m.video: "{% raw %}{{ .Sender.Displayname }} sent a video{% endraw %}"
            m.location: "{% raw %}{{ .Sender.Displayname }} sent a location{% endraw %}"
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
    min_level: {{ matrix_mautrix_meta_messenger_logging_min_level | to_json }}
    writers:
-    - type: stdout
+        - type: stdout
-      format: pretty
+          format: pretty
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@ -9,7 +9,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.7.0
+matrix_mautrix_signal_version: v0.7.1
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@ -100,6 +100,12 @@ matrix_mautrix_signal_logging_level: 'warn'
 # If false, created portal rooms will never be federated.
 matrix_mautrix_signal_federate_rooms: true
 matrix_mautrix_signal_backfill_enabled: true
 matrix_mautrix_signal_backfill_max_initial_messages: 50
 matrix_mautrix_signal_backfill_max_catchup_messages: 500
 matrix_mautrix_signal_backfill_unread_hours_threshold: 720
 matrix_mautrix_signal_backfill_threads_max_initial_messages: 50
 # Whether or not metrics endpoint should be enabled.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_signal_metrics_proxying_enabled`.
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -280,18 +280,18 @@ direct_media:
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
-    enabled: false
+    enabled: {{ matrix_mautrix_signal_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
-    max_initial_messages: 50
+    max_initial_messages: {{ matrix_mautrix_signal_backfill_max_initial_messages | to_json }}
    # Maximum number of missed messages to backfill after bridge restarts.
-    max_catchup_messages: 500
+    max_catchup_messages: {{ matrix_mautrix_signal_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
-    unread_hours_threshold: 720
+    unread_hours_threshold: {{ matrix_mautrix_signal_backfill_unread_hours_threshold| to_json }}
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
-        max_initial_messages: 50
+        max_initial_messages: {{ matrix_mautrix_signal_backfill_threads_max_initial_messages | to_json }}
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@ -9,7 +9,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.1.0
+matrix_mautrix_slack_version: v0.1.1
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_name_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else 'dock.mau.dev/' }}"
@ -55,6 +55,12 @@ matrix_mautrix_slack_homeserver_token: ''
 matrix_mautrix_slack_appservice_bot_username: slackbot
 matrix_mautrix_slack_backfill_enabled: true
 matrix_mautrix_slack_backfill_max_initial_messages: 50
 matrix_mautrix_slack_backfill_max_catchup_messages: 500
 matrix_mautrix_slack_backfill_unread_hours_threshold: 720
 matrix_mautrix_slack_backfill_threads_max_initial_messages: 50
 # Minimum severity of journal log messages.
 # Options: debug, info, warn, error, fatal
 matrix_mautrix_slack_logging_level: 'warn'
--- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
@ -244,9 +244,7 @@ appservice:
    hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }}
    # Localpart template of MXIDs for remote users.
-    # {% raw %}
+    # {% raw %}{{.}}{% endraw %} is replaced with the internal ID of the user.
    # {{.}} is replaced with the internal ID of the user.
    # {% endraw %}
    username_template: "{% raw %}slack_{{.}}{% endraw %}"
 # Config options that affect the Matrix connector of the bridge.
@ -319,18 +317,18 @@ direct_media:
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
-    enabled: false
+    enabled: {{ matrix_mautrix_slack_backfill_enabled | to_json }}
    # Maximum number of messages to backfill in empty rooms.
-    max_initial_messages: 50
+    max_initial_messages: {{ matrix_mautrix_slack_backfill_max_initial_messages | to_json }}
    # Maximum number of missed messages to backfill after bridge restarts.
-    max_catchup_messages: 500
+    max_catchup_messages: {{ matrix_mautrix_slack_backfill_max_catchup_messages | to_json }}
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
-    unread_hours_threshold: 720
+    unread_hours_threshold: {{ matrix_mautrix_slack_backfill_unread_hours_threshold| to_json }}
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
-        max_initial_messages: 50
+        max_initial_messages: {{ matrix_mautrix_slack_backfill_threads_max_initial_messages | to_json }}
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -1,10 +1,5 @@
 # File              : roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
 # Author            : Pierre (McFly) Marty <paq.marty@gmail.com>
 # Date              : 17.01.2024
 # Last Modified Date: 17.01.2024
 # Last Modified By  : Pierre (McFly) Marty <paq.marty@gmail.com>
 # -----
 ---
 # mautrix-telegram is a Matrix <-> Telegram bridge
 # Project source code URL: https://github.com/mautrix/telegram
Author	SHA1	Message	Date
Thom Wiggers	70c1eeea91	Merge `525601d0c7` into `67df140ef4`	2024-09-17 14:19:56 +03:00
Slavi Pantaleev	67df140ef4	Upgrade Traefik (v3.1.2-1 -> v3.1.3-0)	2024-09-17 10:42:27 +03:00
Slavi Pantaleev	53f3c94bef	Enable backfilling for mautrix-gmessages, mautrix-signal and mautrix-slack We'be already been going against upstream defaults and have been enabling backfilling for a few other bridges (Messenger, Instagram, Telegram, Twitter). Now I'm enabling backfilling by default for the remaining ones, for consistency.	2024-09-17 09:39:35 +03:00
Slavi Pantaleev	f9705b3323	Upgrade mautrix-gmessages (v0.4.3 -> v0.5.0) and adapt configuration Related to: - https://github.com/mautrix/gmessages/releases/tag/v0.5.0 - https://mau.fi/blog/2024-09-mautrix-release/ It seems like the new version does not support a `/metrics` endpoint. We skip keep the Ansible variables, but they're not doing anything.	2024-09-17 09:39:35 +03:00
Slavi Pantaleev	01e5514c4b	Upgrade mautrix-meta (v0.3.2 -> v0.4.0) and adapt configuration Related to: - https://github.com/mautrix/meta/releases/tag/v0.4.0 - https://mau.fi/blog/2024-09-mautrix-release/ It seems like the new version does not support a `/metrics` endpoint. We skip keep the Ansible variables, but they're not doing anything.	2024-09-17 09:39:35 +03:00
Slavi Pantaleev	626a851c82	Fix username_template potentially not being taken into account for mautrix-slack While working on upgrading the Meta bridges to bridgev2, I've noticed that {% raw %} and {% endraw %} on lines like that (immediately preceding `username_template` may cause YAML indentation issues.	2024-09-17 09:39:35 +03:00
Slavi Pantaleev	52018c652f	Merge pull request #3530 from spantaleev/renovate/dock.mau.dev-mautrix-signal-0.x Update dock.mau.dev/mautrix/signal Docker tag to v0.7.1	2024-09-17 06:36:02 +03:00
Slavi Pantaleev	42cc7b0844	Merge pull request #3531 from spantaleev/renovate/dock.mau.dev-mautrix-slack-0.x Update dock.mau.dev/mautrix/slack Docker tag to v0.1.1	2024-09-17 06:34:19 +03:00
renovate[bot]	ca0abda581	Update dock.mau.dev/mautrix/slack Docker tag to v0.1.1	2024-09-16 13:07:41 +00:00
renovate[bot]	7507383a90	Update dock.mau.dev/mautrix/signal Docker tag to v0.7.1	2024-09-16 13:07:37 +00:00
Thom Wiggers	525601d0c7	Update config.yaml template	2024-09-09 13:57:30 +02:00
Thom Wiggers	d0a021e8e8	Update server config sample	2024-09-09 13:39:01 +02:00
Thom Wiggers	6de7195edc	Update to 3.0.1	2024-09-09 13:14:13 +02:00
Thom Wiggers	95c675159f	Update matrix-appservice-irc version	2024-09-02 13:13:28 +02:00