Add various polish to Conduwuit

https://github.com/Virkkunen and I have been working on the same feature
simultaneously.

This patch adds my additional independent work on top of his changes.

Notable changes here compared to Virkkunen's original work:

- renaming config-related variables (`matrix_conduwuit_*` ->
  `matrix_conduwuit_config_*`). This is consistent with other roles (and
  better), but deviates from how the Conduit role was implemented.

- using a full configuration sample from https://conduwuit.puppyirl.gay/configuration.html
  instead of using the old Conduit config file template

- introducing configurability for more Conduwuit config settings, to support easy registration, etc.

- removing configuration settings that Conduwuit does not support
  anymore (e.g. `max_concurrent_requests`)

- cross-linking docs pages for Conduit and Conduwuit

- a Conduwuit docs page which is much improved compared to the old
  Conduit one

- REAMDE updates

README.md

@@ -52,6 +52,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
 | ---- | -------- | ----------- | ------------- |
 | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
 | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
+| [Conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) |
 | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
 
 ### Clients

docs/configuring-playbook-conduit.md

@@ -6,6 +6,8 @@ See the project's [documentation](https://docs.conduit.rs/) to learn what it doe
 
 By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
 
+💡 **Note**: The playbook also supports installing a (currently) faster-moving Conduit fork called [Conduwuit](./configuring-playbook-conduwuit.md).
+
 ⚠️ **Warnings**:
 
 - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
@@ -48,9 +50,9 @@ Since it is difficult to create the first user account on Conduit (see [famedly/
 
 ## Configuring bridges / appservices
 
-Automatic appservice setup is currently unsupported when using Conduit. After setting up the service as usual you may notice that it is unable to start.
+For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver.
 
-You will have to manually register appservices using the the [register-appservice](https://gitlab.com/famedly/conduit/-/blob/next/APPSERVICES.md) command.
+For Conduit, you will have to manually register appservices using the the [register-appservice](https://gitlab.com/famedly/conduit/-/blob/next/APPSERVICES.md) command.
 
 Find the `registration.yaml` in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`, then pass the content to Conduit:
 

docs/configuring-playbook-conduwuit.md

@@ -0,0 +1,95 @@
+# Configuring Conduwuit (optional)
+
+The playbook can install and configure the [Conduwuit](https://conduwuit.puppyirl.gay/) Matrix server for you.
+
+See the project's [documentation](https://conduwuit.puppyirl.gay/) to learn what it does and why it might be useful to you.
+
+By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
+
+💡 **Note**: Conduwuit is a fork of [Conduit](./configuring-playbook-conduit.md), which the playbook also supports. See [Differences from upstream Conduit](https://conduwuit.puppyirl.gay/differences.html).
+
+⚠️ **Warnings**:
+
+- **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduwuit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
+
+- **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding
+
+## Adjusting the playbook configuration
+
+To use Conduwuit, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:
+
+```yaml
+matrix_homeserver_implementation: conduwuit
+
+# Registering users can only happen via the API,
+# so it makes sense to enable it, at least initially.
+matrix_conduwuit_config_allow_registration: true
+
+# Generate a strong registration token to protect the registration endpoint from abuse.
+# You can create one with a command like `pwgen -s 64 1`.
+matrix_conduwuit_config_registration_token: ''
+```
+
+### Extending the configuration
+
+There are some additional things you may wish to configure about the server.
+
+Take a look at:
+
+- `roles/custom/matrix-conduwuit/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
+- `roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2` for the server's default configuration
+
+There are various Ansible variables that control settings in the `conduwuit.toml` file.
+
+If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://conduwuit.puppyirl.gay/configuration.html#environment-variables) using `matrix_conduwuit_environment_variables_extension`. For example:
+
+```yaml
+matrix_conduwuit_environment_variables_extension: |
+  CONDUWUIT_MAX_REQUEST_SIZE=50000000
+  CONDUWUIT_REQUEST_TIMEOUT=60
+```
+
+## Creating the first user account
+
+Unlike other homeserver implementations (like Synapse and Dendrite), Conduwuit does not support creating users via the command line or via the playbook.
+
+If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token.
+
+This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users.
+
+The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**.
+
+
+## Configuring bridges / appservices
+
+For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver.
+
+For Conduwuit, you will have to manually register appservices using the [`!admin appservices register` command](https://conduwuit.puppyirl.gay/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account.
+
+The server's bot account has a Matrix ID of `@conduit:example.com` (not `@conduwuit:example.com`!) due to Conduwuit's historical legacy.
+Your first user account would already have been invited to an admin room with this bot.
+
+Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`.
+
+Then, send its content to the existing admin room:
+
+    !admin appservices register
+
+    ```
+    as_token: <token>
+    de.sorunome.msc2409.push_ephemeral: true
+    hs_token: <token>
+    id: signal
+    namespaces:
+      aliases:
+      - exclusive: true
+        regex: ^#signal_.+:example\.org$
+      users:
+      - exclusive: true
+        regex: ^@signal_.+:example\.org$
+      - exclusive: true
+        regex: ^@signalbot:example\.org$
+    rate_limited: false
+    sender_localpart: _bot_signalbot
+    url: http://matrix-mautrix-signal:29328
+    ```

group_vars/matrix_servers

@@ -553,7 +553,7 @@ matrix_homeserver_container_client_api_endpoint: |-
       'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)),
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
-      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string),
+      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -563,7 +563,7 @@ matrix_homeserver_container_federation_api_endpoint: |-
       'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)),
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
-      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string),
+      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -5818,7 +5818,7 @@ matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }}
 
 matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}"
 
-matrix_conduwuit_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
+matrix_conduwuit_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
 
 matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}"
 
@@ -5844,7 +5844,7 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_
 matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 
-matrix_conduwuit_turn_uris: |
+matrix_conduwuit_config_turn_uris: |
   {{
     ([
       'turns:' + matrix_server_fqn_matrix + '?transport=udp',
@@ -5857,9 +5857,11 @@ matrix_conduwuit_turn_uris: |
     ] if matrix_coturn_enabled else [])
   }}
 
-matrix_conduwuit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
-matrix_conduwuit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
-matrix_conduwuit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+matrix_conduwuit_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
+matrix_conduwuit_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+matrix_conduwuit_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+
+matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
 
 ######################################################################
 #

roles/custom/matrix-conduwuit/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# Conduwuit is a fork of Conduit, powered by Matrix
+# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit).
 # Project source code URL: https://github.com/girlbossceo/conduwuit
 # See: https://conduwuit.puppyirl.gay/
 
@@ -7,17 +7,18 @@ matrix_conduwuit_enabled: true
 
 matrix_conduwuit_hostname: ''
 
-matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
+matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
 matrix_conduwuit_docker_image_name_prefix: "docker.io/"
-# renovate: datasource=docker depName=girlbossceo/conduwuit
-matrix_conduwuit_docker_image_tag: "main"
+# renovate: datasource=docker depName=ghcr.io/girlbossceo/conduwuit
+matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4
 matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}"
+matrix_conduwuit_docker_image_registry_prefix: ghcr.io/
 
 matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit"
 matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config"
 matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data"
 
-matrix_conduwuit_port_number: 6167
+matrix_conduwuit_config_port_number: 6167
 
 matrix_conduwuit_tmp_directory_size_mb: 500
 
@@ -88,7 +89,7 @@ matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matr
 matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: ""
 
 # Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
-matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_allow_federation }}"
+matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}"
 matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
 matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix
 matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)"
@@ -98,6 +99,16 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: ''
 matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true
 matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
+# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint.
+matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -118,25 +129,61 @@ matrix_conduwuit_container_extra_arguments: []
 matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2"
 
 # Max size for uploads, in bytes
-matrix_conduwuit_max_request_size: 20_000_000
+matrix_conduwuit_config_server_name: "{{ matrix_domain }}"
+
+# Max size for uploads, in bytes
+matrix_conduwuit_config_max_request_size: 20_000_000
 
 # Enables registration. If set to false, no users can register on this server.
-matrix_conduwuit_allow_registration: false
+matrix_conduwuit_config_allow_registration: false
 
-matrix_conduwuit_allow_federation: true
+# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
+# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured.
+matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
 
-# The display name suffix on registration. Change to '' to disable.
-matrix_conduwuit_new_user_displayname_suffix: ''
+# Controls the `registration_token` setting.
+# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you:
+# - either need to set a token to protect registration from abuse
+# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting
+#   (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`),
+#   to allow registration without any form of 2nd-step.
+matrix_conduwuit_config_registration_token: ''
+
+# Controls the `new_user_displayname_suffix` setting.
+# This is the suffix that will be added to the displayname of new users.
+# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
+matrix_conduwuit_config_new_user_displayname_suffix: ""
+
+# Controls the `allow_check_for_updates` setting.
+matrix_conduwuit_config_allow_check_for_updates: false
+
+# Controls the `emergency_password` setting.
+matrix_conduwuit_config_emergency_password: ''
+
+# Controls the `allow_federation` setting.
+matrix_conduwuit_config_allow_federation: true
 
 matrix_conduwuit_trusted_servers:
  - "matrix.org"
 
-# How many requests conduwuit sends to other servers at the same time
-matrix_conduwuit_max_concurrent_requests: 100
+matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
 
 # TURN integration.
-# See: https://gitlab.com/famedly/conduwuit/-/blob/next/TURN.md
-matrix_conduwuit_turn_uris: []
-matrix_conduwuit_turn_secret: ''
-matrix_conduwuit_turn_username: ''
-matrix_conduwuit_turn_password: ''
+# See: https://conduwuit.puppyirl.gay/turn.html
+matrix_conduwuit_config_turn_uris: []
+matrix_conduwuit_config_turn_secret: ''
+matrix_conduwuit_config_turn_username: ''
+matrix_conduwuit_config_turn_password: ''
+
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_conduwuit_self_check_validate_certificates: true
+
+# Additional environment variables to pass to the container.
+#
+# Environment variables take priority over settings in the configuration file.
+#
+# Example:
+# matrix_conduwuit_environment_variables_extension: |
+#   CONDUWUIT_MAX_REQUEST_SIZE=50000000
+#   CONDUWUIT_REQUEST_TIMEOUT=60
+matrix_conduwuit_environment_variables_extension: ''

roles/custom/matrix-conduwuit/tasks/install.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Ensure conduwuit config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_config_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_data_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_conduwuit_template_conduwuit_config }}"
+    dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+    - env
+
+- name: Ensure conduwuit container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_conduwuit_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure conduwuit container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_conduwuit_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-conduwuit.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+    mode: 0644

roles/custom/matrix-conduwuit/tasks/main.yml

@@ -10,11 +10,20 @@
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 
     - when: matrix_conduwuit_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
 
 - tags:
     - setup-all
     - setup-conduwuit
   block:
     - when: not matrix_conduwuit_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
+
+- tags:
+    - self-check
+  block:
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"

roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Check Matrix Client API
+  ansible.builtin.uri:
+    url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}"
+  register: result_matrix_conduwuit_client_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_conduwuit_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Client API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is Conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}"
+  when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)"
+
+- name: Report working Matrix Client API
+  ansible.builtin.debug:
+    msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working"
+  when: matrix_conduwuit_enabled | bool

roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Check Matrix Federation API
+  ansible.builtin.uri:
+    url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
+  register: result_matrix_synapse_federation_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_synapse_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Federation API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"
+
+- name: Fail if Matrix Federation API unexpectedly enabled
+  ansible.builtin.fail:
+    msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
+  when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed"
+
+- name: Report working Matrix Federation API
+  ansible.builtin.debug:
+    msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool"

roles/custom/matrix-conduwuit/tasks/uninstall.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Check existence of matrix-conduwuit service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+  register: matrix_conduwuit_service_stat
+
+- when: matrix_conduwuit_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-conduwuit is stopped
+      ansible.builtin.systemd:
+        name: matrix-conduwuit
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-conduwuit.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+        state: absent

roles/custom/matrix-conduwuit/templates/env.j2

@@ -0,0 +1 @@
+{{ matrix_conduwuit_environment_variables_extension }}

roles/custom/matrix-conduwuit/templates/labels.j2

@@ -5,7 +5,7 @@ traefik.enable=true
 traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }}
 {% endif %}
 
-traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_port_number }}
+traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }}
 
 
 {% if matrix_conduwuit_container_labels_public_client_root_enabled %}
@@ -129,6 +129,37 @@ traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{
 {% endif %}
 
 
+
+
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %}
+############################################################
+#                                                          #
+# Public Conduwuit-API (/_conduwuit)                       #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }}
+
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }}
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %}
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Conduwuit-API (/_conduwuit)                      #
+#                                                          #
+############################################################
+{% endif %}
+
+
 {% endif %}
 
 {{ matrix_conduwuit_container_labels_additional_labels }}

roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2

@@ -1,6 +1,6 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
-Description=Conduwuit Matrix homeserver
+Description=conduwuit Matrix homeserver
 {% for service in matrix_conduwuit_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
@@ -21,10 +21,10 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \
 			--network={{ matrix_conduwuit_container_network }} \
-			--env conduwuit_CONFIG=/etc/matrix-conduwuit/conduwuit.toml \
+			--env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \
 			--label-file={{ matrix_conduwuit_base_path }}/labels \
-			--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/matrix-conduwuit \
-			--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/matrix-conduwuit,ro \
+			--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \
+			--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \
 			{% for arg in matrix_conduwuit_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-conduwuit/vars/main.yml

@@ -1,3 +1,4 @@
 ---
+
 matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions"
 matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

roles/custom/matrix_playbook_migration/tasks/validate_config.yml

@@ -302,14 +302,6 @@
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_enabled', 'new': 'matrix_conduwuit_container_labels_traefik_enabled'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_enabled', 'new': 'matrix_conduwuit_container_labels_public_federation_api_enabled'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_with_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_sans_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_with_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_sans_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_additional_server_configuration_blocks', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'}