Merge 0b9389fd6492d0c26c5ed16ba17d51d36c378016 into da08975ca851dcf7872012e33d49c21c1f907ebb

Update docs/faq.md

CHANGELOG.md

@@ -174,7 +174,7 @@ If upstream synapse-admin picks up the pace and improves, the etke.cc fork may d
 
 If you'd like to switch back to the original synapse-admin software, you can do so by adding the following configuration to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}"
 
@@ -199,7 +199,7 @@ All non-deprecated mautrix bridges in the playbook have been reworked to support
 
 We recommend **enabling double-puppeting via the new Appservice method** by adding the following configuration to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_appservice_double_puppet_enabled: true
 ```
 
@@ -231,7 +231,7 @@ This upgrade necessitates configuration policy changes as described in [matrix-c
 
 If you'd like to remain on the old (v2) version of matrix-corporal, you can do so by adding the following configuration to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_corporal_version: 2.8.0
 ```
 
@@ -287,7 +287,7 @@ Still, if HTTP/3 cannot function correctly in your setup, it's best to disable a
 
 To **disable HTTP/3**, you can use the following configuration:
 
-```yml
+```yaml
 traefik_config_entrypoint_web_secure_http3_enabled: false
 
 # Disabling HTTP/3 for the web-secure entrypoint (above),
@@ -301,7 +301,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_ena
 
 If you are using [your own webserver](./docs/configuring-playbook-own-webserver.md) (in front of Traefik), port binding on UDP port `8448` by default due to HTTP/3 is either unnecessary or [may get in the way](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3402). If it does, you can disable it:
 
-```yml
+```yaml
 # Disable HTTP/3 for the federation entrypoint.
 # If you'd like HTTP/3, consider configuring it for your other reverse-proxy.
 #
@@ -322,7 +322,7 @@ The playbook has just started making use of this feature. **From now on, your sy
 
 If you'd like **to go back to the old unrestricted behavior**, use the following configuration:
 
-```yml
+```yaml
 # Use this configuration to allow synapse-admin to manage any homeserver instance.
 matrix_synapse_admin_config_restrictBaseUrl: []
 ```
@@ -387,7 +387,7 @@ Users on `arm32` should be aware that there's **neither a prebuilt `arm32` conta
 
 **The playbook still supports Redis** and you can keep using Redis (for now) if you'd like, by adding this additional configuration to your `vars.yml` file:
 
-```yml
+```yaml
 # Explicitly disable KeyDB, which will auto-enable Redis
 # if the playbook requires it as a dependency for its operation.
 keydb_enabled: false
@@ -1354,7 +1354,7 @@ Our [justfile](justfile) already defines some additional helpful **shortcut** co
 - `just run-tags install-mautrix-slack,start` - to run specific playbook tags
 - `just start-all` - (re-)starts all services
 - `just stop-group postgres` - to stop only the Postgres service
-- `just register-user john secret-password yes` - registers a `john` user with the `secret-password` password and admin access (admin = `yes`)
+- `just register-user alice secret-password yes` - registers an `alice` user with the `secret-password` password and admin access (admin = `yes`)
 
 Additional helpful commands and shortcuts may be defined in the future.
 
@@ -2800,7 +2800,7 @@ You can now customize the server name string that Riot-web displays in its login
 
 These playbook variables, with these default values, have been added:
 
-```
+```yaml
 matrix_riot_web_default_server_name: "{{ matrix_domain }}"
 ```
 
@@ -2828,7 +2828,7 @@ Still, we might become affected in the future. In any case, it's imminent that S
 
 To avoid future problems, we recommend that you run the following command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres --extra-vars='{"postgres_force_upgrade": true}'
 ```
 
@@ -3289,7 +3289,7 @@ The certificates from the Matrix domain will be used for the Coturn server.
 This feature is enabled by default for new installations.
 To make use of TLS support for your existing Matrix server's Coturn, make sure to rebuild both Coturn and Synapse:
 
-```bash
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-coturn,setup-synapse,start
 ```
 
@@ -3628,7 +3628,7 @@ The playbook now allows you to set the log levels used by Synapse. The default l
 
 You can now override following variables with any of the supported log levels listed here: https://docs.python.org/3/library/logging.html#logging-levels
 
-```
+```yaml
 matrix_synapse_log_level: "INFO"
 matrix_synapse_storage_sql_log_level: "INFO"
 matrix_synapse_root_log_level: "INFO"
@@ -3641,7 +3641,7 @@ matrix_synapse_root_log_level: "INFO"
 
 You can now customize some parts of Riot's `config.json`. These playbook variables, with these default values, have been added:
 
-```
+```yaml
 matrix_riot_web_disable_custom_urls: true
 matrix_riot_web_disable_guests: true
 matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
@@ -3652,7 +3652,7 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/wid
 
 This now allows you use a custom integration manager like [Dimension](https://dimension.t2bot.io). For example, if you wish to use the Dimension instance hosted at dimension.t2bot.io, you can set the following in your vars.yml file:
 
-```
+```yaml
 matrix_riot_web_integrations_ui_url: "https://dimension.t2bot.io/riot"
 matrix_riot_web_integrations_rest_url: "https://dimension.t2bot.io/api/v1/scalar"
 matrix_riot_web_integrations_widgets_urls: "https://dimension.t2bot.io/widgets"

docs/ansible.md

@@ -55,7 +55,7 @@ Alternatively, you can leave your `inventory/hosts` as is and specify the connec
 
 Run this from the playbook's directory:
 
-```bash
+```sh
 docker run -it --rm \
 --privileged \
 --pid=host \
@@ -76,7 +76,7 @@ Finally, you can execute `ansible-playbook ...` (or `ansible-playbook --connecti
 
 Run this from the playbook's directory:
 
-```bash
+```sh
 docker run -it --rm \
 -w /work \
 -v `pwd`:/work \
@@ -99,7 +99,7 @@ Finally, you execute `ansible-playbook ...` commands as per normal now.
 If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`).
 
 To authenticate at your server using a password, you need to add a package. So, when you are in the shell of the ansible docker container (the previously used `docker run -it ...` command), run:
-```bash
+```sh
 apk add sshpass
 ```
 Then, to be asked for the password whenever running an  `ansible-playbook` command add `--ask-pass` to the arguments of the command.

docs/configuring-playbook-alertmanager-receiver.md

@@ -12,7 +12,7 @@ This service is meant to be used with an external [Alertmanager](https://prometh
 
 To enable matrix-alertmanager-receiver, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
-```yml
+```yaml
 matrix_alertmanager_receiver_enabled: true
 
 # If you'd like to change the username for this bot, uncomment and adjust. Otherwise, remove.
@@ -85,7 +85,7 @@ Then, you can proceed to [Usage](#usage).
 
 Configure your Prometheus Alertmanager with configuration like this:
 
-```yml
+```yaml
 receivers:
   - name: matrix
     webhook_configs:

docs/configuring-playbook-appservice-double-puppet.md

@@ -10,7 +10,7 @@ Previously, bridges supported performing [double-puppeting](https://docs.mau.fi/
 
 To enable the Appservice Double Puppet service, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
-```yml
+```yaml
 matrix_appservice_double_puppet_enabled: true
 ```
 

docs/configuring-playbook-appservice-draupnir-for-all.md

@@ -51,7 +51,7 @@ matrix_appservice_draupnir_for_all_master_control_room_alias: "ALIAS_FROM_STEP_2
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-backup-borg.md

@@ -18,7 +18,7 @@ By default, if you're using the integrated Postgres database server (as opposed
 
 2. Create a new SSH key:
 
-    ```bash
+    ```sh
     ssh-keygen -t ed25519 -N '' -f matrix-borg-backup -C matrix
     ```
 
@@ -28,7 +28,7 @@ By default, if you're using the integrated Postgres database server (as opposed
 
     If you plan to use a hosted solution, follow their instructions. If you have your own server, copy the key over:
 
-    ```bash
+    ```sh
     # example to append the new PUBKEY contents, where:
     # PUBKEY is path to the public key,
     # USER is a ssh user on a provider / server
@@ -73,7 +73,7 @@ Check the [backup_borg role](https://github.com/mother-of-all-self-hosting/ansib
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bot-baibot.md

@@ -84,7 +84,7 @@ If `matrix_admin` is already configured in your `vars.yml` configuration, you ca
 
 **If necessary**, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
-```yml
+```yaml
 # Uncomment to add one or more admins to this bridge:
 #
 # matrix_bot_baibot_config_access_admin_patterns:
@@ -113,7 +113,7 @@ Configuring `matrix_bot_baibot_config_initial_global_config_user_patterns` is op
 
 **If necessary**, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
-```yml
+```yaml
 # Uncomment and adjust the bot users if necessary:
 #
 # Subsequent changes to `matrix_bot_baibot_config_initial_global_config_user_patterns` do not affect the bot's behavior.
@@ -146,7 +146,7 @@ You can statically-define a single [🤖 agent](https://github.com/etkecc/baibot
 
 Here's an example **addition** to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_bot_baibot_config_agents_static_definitions_anthropic_enabled: true
 
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_api_key: "YOUR_API_KEY_HERE"
@@ -173,7 +173,7 @@ You can statically-define a single [🤖 agent](https://github.com/etkecc/baibot
 
 Here's an example **addition** to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_bot_baibot_config_agents_static_definitions_groq_enabled: true
 
 matrix_bot_baibot_config_agents_static_definitions_groq_config_api_key: "YOUR_API_KEY_HERE"
@@ -207,7 +207,7 @@ You can statically-define a single [🤖 agent](https://github.com/etkecc/baibot
 
 Here's an example **addition** to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_bot_baibot_config_agents_static_definitions_mistral_enabled: true
 
 matrix_bot_baibot_config_agents_static_definitions_mistral_config_api_key: "YOUR_API_KEY_HERE"
@@ -238,7 +238,7 @@ The OpenAI provider is **only meant to be used with OpenAI's official API** and
 
 Here's an example **addition** to your `vars.yml` file:
 
-```yml
+```yaml
 matrix_bot_baibot_config_agents_static_definitions_openai_enabled: true
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "YOUR_API_KEY_HERE"
@@ -282,7 +282,7 @@ You can also define providers at runtime, by chatting with the bot, so using Ans
 
 Below is an an **example** demonstrating **statically-defining agents via Ansible without using presets**:
 
-```yml
+```yaml
 matrix_bot_baibot_config_agents_static_definitions_custom:
   # This agent will use the GPT 3.5 model and will only support text-generation,
   # even though the `openai` provider could support other features (e.g. image-generation).
@@ -356,7 +356,7 @@ You can configure the **initial values** for these via Ansible, via the `matrix_
 
 Example **additional** `vars.yml` configuration:
 
-```yml
+```yaml
 # Note: these are initial defaults for the bot's global configuration.
 # As such, changing any of these values subsequently has no effect on the bot's behavior.
 # Once initially configured, the global configuration is managed via bot commands, not via Ansible.

docs/configuring-playbook-bot-chatgpt.md

@@ -16,7 +16,7 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 You can use the playbook to [register a new user](registering-users.md):
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 

docs/configuring-playbook-bot-draupnir.md

@@ -19,7 +19,7 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 You can use the playbook to [register a new user](registering-users.md):
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 
@@ -117,7 +117,7 @@ That is all you need to do due to that Draupnir can complete migration on its ow
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bot-go-neb.md

@@ -19,7 +19,7 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 You can use the playbook to [register a new user](registering-users.md):
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 
@@ -221,7 +221,7 @@ If you've decided to reuse the `matrix.` domain, you won't need to do any extra
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bot-matrix-registration-bot.md

@@ -46,6 +46,6 @@ If you have any questions, or if you need help setting it up, read the [troublsh
 
 To clean the cache (session & encryption data) after you changed the bot's username, changed the login method from access_token to password etc... you can use:
 
-```bash
+```sh
 just run-tags bot-matrix-registration-bot-clean-cache
 ```

docs/configuring-playbook-bot-mjolnir.md

@@ -15,7 +15,7 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 You can use the playbook to [register a new user](registering-users.md):
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 
@@ -119,7 +119,7 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bridge-appservice-kakaotalk.md

@@ -21,7 +21,7 @@ You may optionally wish to add some [Additional configuration](#additional-confi
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bridge-mautrix-discord.md

@@ -29,7 +29,7 @@ You may optionally wish to add some [Additional configuration](#additional-confi
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bridge-mautrix-facebook.md

@@ -97,7 +97,7 @@ The easiest way to do this may be to use [sshuttle](https://sshuttle.readthedocs
 
 Example command for proxying your traffic through the Matrix server:
 
-```
+```sh
 sshuttle -r root@matrix.example.com:22 0/0
 ```
 

docs/configuring-playbook-bridge-mautrix-slack.md

@@ -32,7 +32,7 @@ You may optionally wish to add some [Additional configuration](#additional-confi
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-bridge-mx-puppet-slack.md

@@ -25,7 +25,7 @@ matrix_mx_puppet_slack_oauth_client_secret: "<SLACK_APP_CLIENT_SECRET>"
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-dimension.md

@@ -20,8 +20,8 @@ These users can modify the integrations this Dimension supports. Add this to you
 
 ```yaml
 matrix_dimension_admins:
-  - "@user1:{{ matrix_domain }}"
+  - "@alice:{{ matrix_domain }}"
-  - "@user2:{{ matrix_domain }}"
+  - "@bob:{{ matrix_domain }}"
 ```
 
 The admin interface is accessible within Element Web by accessing it in any room and clicking the cog wheel/settings icon in the top right. Currently, Dimension can be opened in Element Web by the "Add widgets, bridges, & bots" link in the room information.
@@ -71,7 +71,7 @@ By default, you will need to create a CNAME record for `dimension`. See [Configu
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-element-call.md

@@ -0,0 +1,64 @@
+# Setting up Element Call (optional)
+
+The playbook can install and configure [Element Call](https://github.com/vector-im/element-call) for you.
+
+Element Call is a WebRTC-based video and voice calling platform that integrates with Matrix clients such as Element Web. It provides secure, decentralized communication with support for video calls, audio calls, and screen sharing.
+
+See the project's [documentation](https://github.com/vector-im/element-call) to learn more.
+
+## Decide on a domain and path
+
+By default, Element Call is configured to be served on the Matrix domain (`call.DOMAIN`, controlled by the `matrix_element_call_hostname` variable).
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+If you'd like to run Element Call on another hostname or path, use the `matrix_element_call_hostname` and `matrix_element_call_path_prefix` variables.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+Ensure that the following DNS names have a public IP/FQDN:
+- `call.example.com`
+- `sfu.example.com`
+- `sfu-jwt.example.com`
+
+## Adjusting the playbook configuration
+
+NOTE: Enabling Element Call will automatically enable the [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) and Livekit Server services.
+
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+
+```yaml
+matrix_element_call_enabled: true
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+
+Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md). When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your LiveKit JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
+
+Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`).
+
+## Required Firewall and Port Forwarding Rules
+
+To ensure the services function correctly, the following firewall rules and port forwarding settings are required:
+
+LiveKit:
+
+- Forward UDP ports 50100:50120 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
+
+Element Call:
+
+- Forward TCP port 443 to the server running Traefik (for Element Call).
+
+Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
+
+## Additional Information
+
+Refer to the Element Call documentation for more details on configuring and using Element Call.

docs/configuring-playbook-federation.md

@@ -57,7 +57,7 @@ Why? This change could be useful for people running small Synapse instances on s
 
 The following changes in the configuration file (`inventory/host_vars/matrix.example.com/vars.yml`) will allow this and make it possible to proxy the federation through a CDN such as CloudFlare or any other:
 
-```
+```yaml
 matrix_synapse_http_listener_resource_names: ["client","federation"]
 # Any port can be used but in this case we use 443
 matrix_federation_public_port: 443

docs/configuring-playbook-jitsi.md

@@ -172,18 +172,18 @@ By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-vid
 There is an ansible playbook that can be run with the following tag: `ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`
 
 For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example:
-```
+```INI
 [jitsi_jvb_servers]
 <your jvb hosts> ansible_host=<ip address of the jvb host>
 ```
 
 Each JVB will require a server ID to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB. The server ID is set with the variable `jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example:
 
-``` yaml
+```yaml
 jitsi_jvb_server_id: 'jvb-2'
 ```
 
-``` INI
+```INI
 [jitsi_jvb_servers]
 jvb-2.example.com ansible_host=192.168.0.2 jitsi_jvb_server_id=jvb-2
 jvb-3.example.com ansible_host=192.168.0.3 jitsi_jvb_server_id=jvb-2
@@ -271,7 +271,7 @@ jitsi_disable_gravatar: false
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-jwt-service.md

@@ -0,0 +1,40 @@
+# Setting up JWT Service (optional)
+
+The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service) for you.
+
+LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU.
+
+See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) to learn more.
+
+## Decide on a domain and path
+
+By default, JWT Service is configured to be served:
+
+- on the Matrix domain (`matrix.example.com`), configurable via `matrix_livekit_jwt_service_hostname`
+- under a `/lk-jwt-service` path prefix, configurable via `matrix_livekit_jwt_service_path_prefix`
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_livekit_jwt_service_enabled: true
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+
+Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element Web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
+
+## Additional Information
+
+Refer to the LiveKit JWT-Service documentation for more details on configuring and using JWT Service.

docs/configuring-playbook-livekit-server.md

@@ -0,0 +1,55 @@
+# Setting up LiveKit (optional)
+
+The playbook can install and configure [LiveKit](https://github.com/livekit/livekit) for you.
+
+LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications.
+
+See the project's [documentation](https://github.com/livekit/livekit) to learn more.
+
+## Decide on a domain and path
+
+By default, LiveKit is configured to be served on the Matrix domain (`sfu.example.com`, controlled by the `livekit_server_hostname` variable).
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+If you'd like to run Livekit on another hostname or path, use the `livekit_server_hostname` variable.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+Ensure that the following DNS names have a public IP/FQDN:
+- `sfu.example.com`
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+livekit_server_enabled: true
+
+# Set a secure key for LiveKit authentication
+livekit_server_dev_key: 'your-secure-livekit-key'
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls.
+
+## Required Firewall and Port Forwarding Rules
+
+To ensure the services function correctly, the following firewall rules and port forwarding settings are required:
+
+LiveKit:
+
+- Forward UDP ports 50100:50200 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
+
+Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
+
+## Additional Information
+
+Refer to the Livekit documentation for more details on configuring and using Livekit.

docs/configuring-playbook-matrix-authentication-service.md

@@ -364,7 +364,7 @@ The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` on the M
 
 To tell `syn2mas` how the Synapse-configured OIDC provider maps to the new MAS-configured OIDC provider, add this additional configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
-```yml
+```yaml
 # Adjust the mapping below to match your provider IDs on the Synapse side and the MAS side.
 # Don't forget that Synapse automatically adds an `oidc-` prefix to provider ids defined in its configuration.
 matrix_authentication_service_syn2mas_process_extra_arguments:

docs/configuring-playbook-matrix-registration.md

@@ -54,7 +54,7 @@ If you've decided to use the default hostname, you won't need to do any extra DN
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 
@@ -72,7 +72,7 @@ We make the most common APIs easy to use via the playbook (see below).
 
 To **create a new user registration token (link)**, use this command:
 
-```bash
+```sh
 ansible-playbook -i inventory/hosts setup.yml \
 --tags=generate-matrix-registration-token \
 --extra-vars="one_time=yes ex_date=2021-12-31"
@@ -87,7 +87,7 @@ Share the unique registration link (generated by the command above) with users t
 
 To **list the existing user registration tokens**, use this command:
 
-```bash
+```sh
 ansible-playbook -i inventory/hosts setup.yml \
 --tags=list-matrix-registration-tokens
 ```

docs/configuring-playbook-ntfy.md

@@ -52,7 +52,7 @@ By default, you will need to create a CNAME record for `ntfy`. See [Configuring
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-postgres-backup.md

@@ -31,6 +31,6 @@ Refer to the table below for additional configuration variables and their defaul
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

docs/configuring-playbook-rageshake.md

@@ -53,7 +53,7 @@ If you've decided to reuse the `matrix.` domain, you won't need to do any extra
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-sygnal.md

@@ -79,7 +79,7 @@ If you've decided to reuse the `matrix.` domain, you won't need to do any extra
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-synapse-auto-accept-invite.md

@@ -34,7 +34,7 @@ Since Synapse [v1.109.0](https://github.com/element-hq/synapse/releases/tag/v1.1
 
 Here's example configuration for using the **native** Synapse feature:
 
-```yml
+```yaml
 matrix_synapse_auto_accept_invites_enabled: true
 
 # Default settings below. Uncomment and adjust this part if necessary.

docs/configuring-playbook-synapse-auto-compressor.md

@@ -20,7 +20,7 @@ matrix_synapse_auto_compressor_enabled: true
 
 After configuring the playbook, run the [installation](installing.md) command:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 

docs/configuring-playbook-synapse.md

@@ -98,7 +98,7 @@ For more detailed documentation on available options and how to setup keycloak,
 
 In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;
 
-```yml
+```yaml
 matrix_synapse_oidc_enabled: true
 
 matrix_synapse_oidc_providers:

docs/configuring-playbook-turn.md

@@ -40,7 +40,7 @@ The playbook uses the [`auth-secret` authentication method](https://github.com/c
 
 To do so, add this override to your configuration:
 
-```yml
+```yaml
 matrix_coturn_authentication_method: lt-cred-mech
 ```
 

docs/configuring-playbook-user-verification-service.md

@@ -92,7 +92,7 @@ This will instruct UVS to verify the OpenID token against any domain given in a
 
 After these variables have been set, run the [installation](installing.md) command to restart UVS:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start
 ```
 

docs/configuring-playbook.md

@@ -212,6 +212,12 @@ Services that help you in administrating and monitoring your Matrix installation
 
 Various services that don't fit any other categories.
 
+- [Setting up the Element Call server](configuring-playbook-element-call.md) (optional)
+
+- [Setting up the LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional)
+
+- [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional)
+
 - [Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md)
 
 - [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers

docs/faq.md

@@ -121,6 +121,10 @@ Besides Synapse, you'd need other things - a Postgres database, likely the [Elem
 
 Using the playbook, you get all these components in a way that works well together out of the box.
 
+### Occasionally I see some people are talking about "MDAD". What is it?
+
+It is the acronym of us: **m**atrix-**d**ocker-**a**nsible-**d**eploy.
+
 ### What's different about this Ansible playbook compared to [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy)?
 
 This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansible deployment, but:
@@ -193,7 +197,7 @@ The only thing we need on the distro is systemd and Python (we install Docker ou
 
 Instead of using [docker-compose](https://docs.docker.com/compose/), we prefer installing systemd services and scheduling those independently.
 
-There are people who have worked on turning this setup into a docker-compose-based one. See these experiments [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/64#issuecomment-603164625).
+There are people who have worked on turning this setup into a docker-compose-based one. See these experiments [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/64#issuecomment-603164625). There is also a demo project ([element-docker-demo](https://github.com/element-hq/element-docker-demo)) by Element.
 
 ### Can I run this on a distro without systemd?
 
@@ -232,11 +236,7 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
 
 It's the same with email servers. Your email address is likely `name@company.com`, not `name@mail.company.com`, even though it's `mail.company.com` that is really handling your data for `@company.com` email to work.
 
-Using a separate domain name is easier to manage (although it's a little hard to get right at first) and keeps your Matrix server isolated from your website (if you have one), from your email server (if you have one), etc.
+Using a separate domain name is easier to manage (although it's a little hard to get right at first) and keeps your Matrix server isolated from your website (if you have one), from your email server (if you have one), etc. Therefore, this playbook sets up services on your Matrix server (`matrix.example.com`) by default.
-
-We allow `matrix.example.com` to be the Matrix server handling Matrix stuff for `example.com` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method.
-
-If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.example.com without involving the base domain?](#how-do-i-install-on-matrixexamplecom-without-involving-the-base-domain)
 
 ### I don't control anything on the base domain and can't set up delegation to matrix.example.com. What do I do?
 
@@ -248,11 +248,7 @@ If you really can't obtain an HTTPS certificate for your base domain, you can ta
 
 ### How do I install on matrix.example.com without involving the base domain?
 
-This Ansible playbook guides you into installing a server for `example.com` (user identifiers are like this: `@user:example.com`), while the server is at `matrix.example.com`.
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
-
-We allow `matrix.example.com` to be the Matrix server handling Matrix stuff for `example.com` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method.
-
-If you're fine with uglier identifiers (`@user:matrix.example.com`, which is the equivalent of having an email address like `bob@mail.company.com`, instead of just `bob@company.com`), you can do that as well using the following configuration in your `vars.yml` file:
 
 ```yaml
 # This is what your identifiers are like (e.g. `@bob:matrix.example.com`).
@@ -267,17 +263,20 @@ matrix_server_fqn_matrix: "matrix.example.com"
 # Feel free to use `element.matrix.example.com`, if you'd prefer that.
 matrix_server_fqn_element: "element.example.com"
 
-# This is where you access Dimension (if enabled via `matrix_dimension_enabled: true`; NOT enabled by default).
+# This is where you access Etherpad (if enabled via `etherpad_enabled: true`; NOT enabled by default).
 #
-# Feel free to use `dimension.matrix.example.com`, if you'd prefer that.
+# Feel free to use `etherpad.matrix.example.com`, if you'd prefer that.
-matrix_server_fqn_dimension: "dimension.example.com"
+matrix_server_fqn_etherpad: "etherpad.example.com"
-
-# This is where you access Jitsi (if enabled via `jitsi_enabled: true`; NOT enabled by default).
-#
-# Feel free to use `jitsi.matrix.example.com`, if you'd prefer that.
-matrix_server_fqn_jitsi: "jitsi.example.com"
 ```
 
+After configuring the playbook, run the [installation](installing.md) command:
+
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+**Note**: without setting up [server delegation](howto-server-delegation.md) to `matrix.example.com`, your user identifiers will be like `@user:matrix.example.com`. This is equivalent to having an email address like `bob@mail.company.com`, instead of just `bob@company.com`.
+
 ### I don't use the base domain for anything. How am I supposed to set up Server Delegation for Matrix services?
 
 If you don't use your base domain for anything, then it's hard for you to "serve files over HTTPS" on it -- something we ask you to do for the [.well-known](configuring-well-known.md) setup (needed for [Server Delegation](howto-server-delegation.md)).
@@ -462,12 +461,10 @@ We haven't documented this properly yet, but the general advice is to:
 
 - back up all `/matrix` files, except for `/matrix/postgres/data` (you already have a dump) and `/matrix/postgres/data-auto-upgrade-backup` (this directory may exist and contain your old data if you've [performed a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql)).
 
-You can later restore these roughly like this:
+You can later restore these by:
 
-- restore the `/matrix` directory and files on the new server manually
+- Restoring the `/matrix` directory and files on the new server manually
-- run the playbook again (see [Installing](installing.md)), but **don't** start services yet (**don't run** `... --tags=start`). This step will fix any file permission mismatches and will also set up additional software (Docker, etc.) and files on the server (systemd service, etc.).
+- Following the instruction described on [Installing a server into which you'll import old data](installing.md#installing-a-server-into-which-youll-import-old-data)
-- perform a Postgres database import (see [Importing Postgres](importing-postgres.md)) to restore your database backup
-- start services (see [Finalize the installation](installing.md#finalize-the-installation))
 
 If your server's IP address has changed, you may need to [set up DNS](configuring-dns.md) again.
 

docs/getting-the-playbook.md

@@ -19,7 +19,7 @@ We recommend using the [git](https://git-scm.com/) tool to get the playbook's so
 
 Once you've installed git on your computer, you can go to any directory of your choosing and run the following command to retrieve the playbook's source code:
 
-```bash
+```sh
 git clone https://github.com/spantaleev/matrix-docker-ansible-deploy.git
 ```
 

docs/importing-postgres.md

@@ -94,7 +94,7 @@ Once the database is clear and the ownership of the tables has been fixed in the
 
 Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal)
 
-```
+```sh
 /usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:15.0-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse"
 ```
 

docs/installing.md

@@ -83,13 +83,13 @@ To create your user account (as an administrator of the server) via this Ansible
 
 **Notes**:
 - Make sure to adjust `YOUR_USERNAME_HERE` and `YOUR_PASSWORD_HERE`
-- For `YOUR_USERNAME_HERE`, use a plain username like `john`, not your full identifier (`@user:example.com`)
+- For `YOUR_USERNAME_HERE`, use a plain username like `alice`, not your full identifier (`@alice:example.com`)
 - Use `admin=yes` to make your user account an administrator of the Matrix server
 
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=YOUR_USERNAME_HERE password=YOUR_PASSWORD_HERE admin=yes' --tags=register-user
 
-# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=john password=secret-password admin=yes' --tags=register-user
+# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=alice password=secret-password admin=yes' --tags=register-user
 ```
 
 Feel free to create as many accounts (for friends, family, etc.) as you want. Still, perhaps you should grant full administrative access to your account only (with `admin=yes`), and others should be created with `admin=no`.

docs/just.md

@@ -10,18 +10,18 @@ For some recipes such as `just update`, our `justfile` recommends installing [`a
 
 Here are some examples of shortcuts:
 
-| Shortcut                                      | Result                                                                                                         |
+| Shortcut                                       | Result                                                                                                         |
-|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+|------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
-| `just roles`                                  | Install the necessary Ansible roles pinned in [`requirements.yml`](../requirements.yml)                        |
+| `just roles`                                   | Install the necessary Ansible roles pinned in [`requirements.yml`](../requirements.yml)                        |
-| `just update`                                 | Run `git pull` (to update the playbook) and install the Ansible roles                                          |
+| `just update`                                  | Run `git pull` (to update the playbook) and install the Ansible roles                                          |
-| `just install-all`                            | Run `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start`       |
+| `just install-all`                             | Run `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start`       |
-| `just setup-all`                              | Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start`         |
+| `just setup-all`                               | Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start`         |
-| `just install-all --ask-vault-pass`           | Run commands with additional arguments (`--ask-vault-pass` will be appended to the above installation command) |
+| `just install-all --ask-vault-pass`            | Run commands with additional arguments (`--ask-vault-pass` will be appended to the above installation command) |
-| `just run-tags install-mautrix-slack,start`   | Run specific playbook tags (here `install-mautrix-slack` and `start`)                                          |
+| `just run-tags install-mautrix-slack,start`    | Run specific playbook tags (here `install-mautrix-slack` and `start`)                                          |
-| `just install-service mautrix-slack`          | Run `just run-tags install-mautrix-slack,start` with even less typing                                          |
+| `just install-service mautrix-slack`           | Run `just run-tags install-mautrix-slack,start` with even less typing                                          |
-| `just start-all`                              | (Re-)starts all services                                                                                       |
+| `just start-all`                               | (Re-)starts all services                                                                                       |
-| `just stop-group postgres`                    | Stop only the Postgres service                                                                                 |
+| `just stop-group postgres`                     | Stop only the Postgres service                                                                                 |
-| `just register-user john secret-password yes` | Registers a `john` user with the `secret-password` password and admin access (admin = `yes`)                   |
+| `just register-user alice secret-password yes` | Registers an `alice` user with the `secret-password` password and admin access (admin = `yes`)                 |
 
 While [our documentation on prerequisites](prerequisites.md) lists `just` as one of the requirements for installation, using `just` is optional. If you find it difficult to install it, do not find it useful, or want to prefer raw `ansible-playbook` commands for some reason, feel free to run all commands manually. For example, you can run `ansible-galaxy` directly to install the Ansible roles: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`.
 

docs/maintenance-and-troubleshooting.md

@@ -3,7 +3,7 @@
 ## How to see the current status of your services
 
 You can check the status of your services by using `systemctl status`. Example:
-```
+```sh
 sudo systemctl status matrix-synapse
 
 ● matrix-synapse.service - Synapse server
@@ -41,7 +41,7 @@ Re-run the playbook after making these configuration changes.
 ## Remove unused Docker data
 
 You can free some disk space from Docker, see [docker system prune](https://docs.docker.com/engine/reference/commandline/system_prune/) for more information.
-```bash
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=run-docker-prune
 ```
 

docs/maintenance-checking-services.md

@@ -4,7 +4,7 @@ This playbook can perform a check to ensure that you've configured things correc
 
 To perform the check, run:
 
-```bash
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=self-check
 ```
 

docs/maintenance-postgres.md

@@ -57,7 +57,7 @@ To automatically make Postgres database backups on a fixed schedule, see [Settin
 
 To make a one off back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server:
 
-```bash
+```sh
 /usr/bin/docker exec \
 --env-file=/matrix/postgres/env-postgres-psql \
 matrix-postgres \

docs/maintenance-synapse.md

@@ -35,7 +35,7 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena
 
 To ask the playbook to run rust-synapse-compress-state, execute:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=rust-synapse-compress-state
 ```
 
@@ -52,14 +52,14 @@ Editing the database manually is not recommended or supported by the Synapse dev
 
 First, set up an SSH tunnel to your Matrix server (skip if it is your local machine):
 
-```
+```sh
 # you may replace 1799 with an arbitrary port unbound on both machines
 ssh -L 1799:localhost:1799 matrix.example.com
 ```
 
 Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container:
 
-```
+```sh
 docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer
 ```
 
@@ -93,7 +93,7 @@ You can **learn more about cache-autotuning and the global cache factor settings
 
 To **disable cache auto-tuning**, unset all values:
 
-```yml
+```yaml
 matrix_synapse_cache_autotuning_max_cache_memory_usage: ''
 matrix_synapse_cache_autotuning_target_cache_memory_usage: ''
 matrix_synapse_cache_autotuning_min_cache_ttl: ''

docs/obtaining-access-tokens.md

@@ -25,7 +25,7 @@ Below, we describe 2 ways to generate an access token for a user - using [Elemen
 
 You can use the following command to get an access token for your user directly from the [Matrix Client-Server API](https://www.matrix.org/docs/guides/client-server-api#login):
 
-```
+```sh
 curl -XPOST -d '{
     "identifier": { "type": "m.id.user", "user": "USERNAME" },
     "password": "PASSWORD",

docs/quick-start.md

@@ -136,12 +136,12 @@ To create your user account (as an administrator of the server) via this Ansible
 
 **💡 Notes**:
 - Make sure to adjust `YOUR_USERNAME_HERE` and `YOUR_PASSWORD_HERE`
-- For `YOUR_USERNAME_HERE`, use a plain username like `john`, not your full identifier (`@user:example.com`)
+- For `YOUR_USERNAME_HERE`, use a plain username like `alice`, not your full identifier (`@alice:example.com`)
 
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=YOUR_USERNAME_HERE password=YOUR_PASSWORD_HERE admin=yes' --tags=register-user
 
-# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=john password=secret-password admin=yes' --tags=register-user
+# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=alice password=secret-password admin=yes' --tags=register-user
 ```
 
 <!--

docs/registering-users.md

@@ -16,7 +16,7 @@ Table of contents:
 
 **Notes**:
 - Make sure to adjust `USERNAME_HERE` and `PASSWORD_HERE`
-- For `USERNAME_HERE`, use a plain username like `john`, not a full identifier (`@user:example.com`)
+- For `USERNAME_HERE`, use a plain username like `alice`, not a full identifier (`@alice:example.com`)
 - Use `admin=yes` or `admin=no` depending on whether you wish to make the user an administrator of the Matrix server
 
 After registering a user (using one of the methods below), **you can log in with that user** via the [Element Web](configuring-playbook-client-element-web.md) service that this playbook has installed for you at a URL like this: `https://element.example.com/`.
@@ -30,7 +30,7 @@ To register a user via this Ansible playbook:
 ```sh
 just register-user USERNAME_HERE PASSWORD_HERE <admin access: yes or no>
 
-# Example: `just register-user john secret-password yes`
+# Example: `just register-user alice secret-password yes`
 ```
 
 **or** by invoking `ansible-playbook` manually:
@@ -38,7 +38,7 @@ just register-user USERNAME_HERE PASSWORD_HERE <admin access: yes or no>
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=USERNAME_HERE password=PASSWORD_HERE admin=<yes|no>' --tags=register-user
 
-# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=john password=secret-password admin=yes' --tags=register-user
+# Example: ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=alice password=secret-password admin=yes' --tags=register-user
 ```
 
 Feel free to register as many users (for friends, family, etc.) as you want. Still, perhaps you should grant full administrative access to your user account only (with `admin=yes`), and others should be created with `admin=no`.
@@ -52,7 +52,7 @@ If you're using the [Synapse](configuring-playbook-synapse.md) homeserver implem
 ```sh
 /matrix/synapse/bin/register-user USERNAME_HERE PASSWORD_HERE <admin access: 0 or 1>
 
-# Example: `/matrix/synapse/bin/register-user john secret-password 1`
+# Example: `/matrix/synapse/bin/register-user alice secret-password 1`
 ```
 
 ### Registering users manually for Dendrite
@@ -62,7 +62,7 @@ If you're using the [Dendrite](./configuring-playbook-dendrite.md) homeserver im
 ```sh
 /matrix/dendrite/bin/create-account USERNAME_HERE PASSWORD_HERE <admin access: 0 or 1>
 
-# Example: `/matrix/dendrite/bin/create-account john secret-password 1`
+# Example: `/matrix/dendrite/bin/create-account alice secret-password 1`
 ```
 
 ### Registering users manually for Matrix Authentication Service
@@ -72,7 +72,7 @@ If you're using the [Matrix Authentication Service](./configuring-playbook-matri
 ```sh
 /matrix/matrix-authentication-service/bin/register-user USERNAME_HERE PASSWORD_HERE <admin access: 0 or 1>
 
-# Example: `/matrix/matrix-authentication-service/bin/register-user john secret-password 1`
+# Example: `/matrix/matrix-authentication-service/bin/register-user alice secret-password 1`
 ```
 
 This `register-user` script actually invokes the `mas-cli manage register-user` command under the hood. If you'd like more control over the registration process, consider invoking the `mas-cli` command directly:

docs/updating-users-passwords.md

@@ -4,11 +4,11 @@
 
 **Notes**:
 - Make sure to adjust `USERNAME_HERE` and `PASSWORD_HERE`
-- For `USERNAME_HERE`, use a plain username like `john`, not a full identifier (`@user:example.com`)
+- For `USERNAME_HERE`, use a plain username like `alice`, not a full identifier (`@alice:example.com`)
 
 You can reset a user's password via the Ansible playbook:
 
-```
+```sh
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=USERNAME_HERE password=PASSWORD_HERE' --tags=update-user-password
 ```
 
@@ -19,7 +19,7 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=USERNAME_HE
 
 You can manually generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](installing.md#finalize-the-installation):
 
-```
+```sh
 docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
 ```
 
@@ -42,6 +42,6 @@ If you didn't make your account a server admin when you created it, you can lear
 
 ### Example:
 To set @user:example.com's password to `correct_horse_battery_staple` you could use this curl command:
-```
+```sh
 curl -XPOST -d '{ "new_password": "correct_horse_battery_staple" }' "https://matrix.example.com/_matrix/client/r0/admin/reset_password/@user:example.com?access_token=MDA...this_is_my_access_token
 ```

group_vars/matrix_servers

@@ -440,6 +440,12 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else [])
     +
+    ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else [])
+    +
+    ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else [])
+    +
+    ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else [])
+    +
     ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else [])
     +
     ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else [])
@@ -4455,7 +4461,7 @@ keydb_arch: |-
 #
 ######################################################################
 
-valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}"
+valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) or matrix_element_call_enabled }}"
 
 valkey_identifier: matrix-valkey
 
@@ -4523,6 +4529,14 @@ matrix_client_element_enable_presence_by_hs_url: |-
 
 matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
 
+matrix_client_element_features_feature_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_group_calls: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_oidc_native_flow: "{{ matrix_authentication_service_enabled }}"
+
+matrix_client_element_element_call_enabled: "{{ matrix_element_call_enabled }}"
+matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}"
+
 ######################################################################
 #
 # /matrix-client-element
@@ -5941,8 +5955,18 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "{{
 # See: https://github.com/etkecc/synapse-admin/pull/126
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: "{{ matrix_synapse_admin_configuration if matrix_homeserver_implementation == 'synapse' else {} }}"
 
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_element_call_enabled }}"
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |-
+  {{
+    (
+      [{'type': 'livekit', 'livekit_service_url': matrix_livekit_jwt_service_public_url}] if matrix_livekit_jwt_service_enabled else []
+    )
+  }}
+
 matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
 
+matrix_static_files_file_element_element_json_property_call_widget_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}"
+
 matrix_static_files_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 
 matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}"
@@ -6049,3 +6073,126 @@ traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled e
 # /traefik_certs_dumper                                                #
 #                                                                      #
 ########################################################################
+
+
+########################################################################
+#                                                                      #
+# matrix-element-call                                                  #
+#                                                                      #
+########################################################################
+
+matrix_element_call_enabled: false
+
+matrix_element_call_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+
+matrix_element_call_version: "latest"  # Default version; can be overridden in host_vars
+
+matrix_element_call_hostname: "call.{{ matrix_domain }}"  # Default hostname; should be overridden in host_vars if different
+matrix_element_call_path_prefix: "/"  # Path prefix for Element Call
+matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call"  # Base path for storing Element Call-related files
+matrix_element_call_container_image: "ghcr.io/element-hq/element-call:{{ matrix_element_call_version }}"
+matrix_element_call_container_image_name_prefix: ghcr.io/
+matrix_element_call_container_image_registry_prefix: ghcr.io/
+matrix_element_call_container_image_force_pull: true
+
+# Docker network configuration for Element Call
+matrix_element_call_container_network: "{{ matrix_addons_container_network }}"
+matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
+
+# Traefik Configuration for Element Call
+matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_element_call_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+########################################################################
+#                                                                      #
+# /matrix-element-call                                                 #
+#                                                                      #
+########################################################################
+
+########################################################################
+#                                                                      #
+# livekit-server                                                       #
+#                                                                      #
+########################################################################
+
+livekit_server_enabled: "{{ matrix_element_call_enabled }}"
+
+livekit_server_identifier: matrix-livekit-server
+
+livekit_server_uid: "{{ matrix_user_uid }}"
+livekit_server_gid: "{{ matrix_user_gid }}"
+
+livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server"
+
+livekit_server_hostname: "sfu.{{ matrix_domain }}"
+
+livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
+
+livekit_server_container_network: "{{ matrix_addons_container_network }}"
+livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
+
+livekit_server_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+livekit_server_config_keys_auto: |-
+  {{
+    {}
+    | combine(
+      {matrix_livekit_jwt_service_environment_variable_livekit_key: matrix_livekit_jwt_service_environment_variable_livekit_secret}
+      if matrix_livekit_jwt_service_enabled else {}
+    )
+  }}
+
+########################################################################
+#                                                                      #
+# /livekit-server                                                      #
+#                                                                      #
+########################################################################
+
+
+########################################################################
+#                                                                      #
+# matrix-livekit-jwt-service                                           #
+#                                                                      #
+########################################################################
+
+matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}"
+
+matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+
+matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
+
+matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_livekit_jwt_service_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [])
+      +
+      ([livekit_server_container_network] if livekit_server_enabled and (matrix_livekit_jwt_service_environment_variable_livekit_url == livekit_server_websocket_container_url and livekit_server_container_network != matrix_livekit_jwt_service_container_network) else [])
+    ) | unique
+  }}
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_container_url }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /matrix-livekit-jwt-service                                          #
+#                                                                      #
+########################################################################

roles/custom/matrix-client-element/defaults/main.yml

@@ -180,6 +180,67 @@ matrix_client_element_branding_auth_header_logo_url: "{{ matrix_client_element_w
 # URL to Wallpaper, shown in background of welcome page
 matrix_client_element_branding_welcome_background_url: ~  # noqa var-naming
 
+# Controls the `features` section of the Element Web configuration.
+matrix_client_element_features: "{{ matrix_client_element_features_default | combine(matrix_client_element_features_auto, recursive=True) | combine(matrix_client_element_features_custom, recursive=True) }}"
+matrix_client_element_features_default: |-
+  {{
+    {}
+
+    | combine(
+      {'feature_video_rooms': true} if matrix_client_element_features_feature_video_rooms else {}
+    )
+    | combine(
+      {'feature_group_calls': true} if matrix_client_element_features_feature_group_calls else {}
+    )
+    | combine(
+      {'feature_element_call_video_rooms': true} if matrix_client_element_features_feature_element_call_video_rooms else {}
+    )
+    | combine(
+      {'feature_oidc_native_flow': true} if matrix_client_element_features_feature_oidc_native_flow else {}
+    )
+  }}
+
+matrix_client_element_features_auto: {}
+matrix_client_element_features_custom: {}
+
+matrix_client_element_features_feature_video_rooms: false
+matrix_client_element_features_feature_group_calls: false
+matrix_client_element_features_feature_element_call_video_rooms: false
+matrix_client_element_features_feature_oidc_native_flow: false
+
+matrix_client_element_element_call_enabled: false
+matrix_client_element_element_call: "{{ matrix_client_element_element_call_default | combine(matrix_client_element_element_call_auto, recursive=True) | combine(matrix_client_element_element_call_custom, recursive=True) }}"
+matrix_client_element_element_call_default: |-
+  {{
+    {}
+    | combine(
+      {'url': matrix_client_element_element_call_url} if matrix_client_element_element_call_url else {}
+    )
+    | combine(
+      {'participant_limit': matrix_client_element_element_call_participant_limit} if matrix_client_element_element_call_participant_limit else {}
+    )
+    | combine(
+      {'brand': matrix_client_element_element_call_brand} if matrix_client_element_element_call_brand else {}
+    )
+    | combine(
+      {'use_exclusively': matrix_client_element_element_call_use_exclusively} if matrix_client_element_element_call_use_exclusively else {}
+    )
+  }}
+matrix_client_element_element_call_auto: {}
+matrix_client_element_element_call_custom: {}
+
+# Controls the `element_call.url` setting in the Element Web configuration.
+matrix_client_element_element_call_url: ''
+
+# Controls the `element_call.participant_limit` setting in the Element Web configuration.
+matrix_client_element_element_call_participant_limit: 8
+
+# Controls the `element_call.brand` setting in the Element Web configuration.
+matrix_client_element_element_call_brand: "Element Call"
+
+# Controls the `element_call.use_exclusively` setting in the Element Web configuration.
+matrix_client_element_element_call_use_exclusively: true
+
 matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2"
 
 # By default, there's no Element Web homepage (when logged in). If you wish to have one,

roles/custom/matrix-client-element/templates/config.json.j2

@@ -44,5 +44,7 @@
 		"auth_footer_links": {{ matrix_client_element_branding_auth_footer_links | to_json }},
 		"auth_header_logo_url": {{ matrix_client_element_branding_auth_header_logo_url | to_json }},
 		"welcome_background_url": {{ matrix_client_element_branding_welcome_background_url | to_json }}
-	}
+	},
+	"features": {{ matrix_client_element_features | to_json }},
+	"element_call": {{ (matrix_client_element_element_call if matrix_client_element_element_call_enabled else {}) | to_json }}
 }

roles/custom/matrix-client-schildichat/defaults/main.yml

@@ -4,6 +4,12 @@
 matrix_client_schildichat_enabled: true
 
 matrix_client_schildichat_container_image_self_build: false
+matrix_client_schildichat_container_image_self_build_repo: "https://github.com/SchildiChat/schildichat-desktop.git"
+matrix_client_schildichat_container_image_self_build_version: "{{ 'lite' if matrix_client_schildichat_version == 'latest' else ('v' + matrix_client_schildichat_version) }}"
+# Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM):
+# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
+# - https://github.com/element-hq/element-web/issues/19544
+matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/schildichat-web
 matrix_client_schildichat_version: 1.11.36-sc.3
@@ -12,7 +18,7 @@ matrix_client_schildichat_docker_image_name_prefix: "{{ 'localhost/' if matrix_c
 matrix_client_schildichat_docker_image_force_pull: "{{ matrix_client_schildichat_docker_image.endswith(':latest') }}"
 
 matrix_client_schildichat_data_path: "{{ matrix_base_data_path }}/client-schildichat"
-matrix_client_schildichat_docker_src_files_path: "{{ matrix_client_schildichat_data_path }}/docker-src"
+matrix_client_schildichat_container_src_files_path: "{{ matrix_client_schildichat_data_path }}/docker-src"
 
 # The base container network
 matrix_client_schildichat_container_network: ''

roles/custom/matrix-client-schildichat/tasks/setup_install.yml

@@ -9,10 +9,10 @@
     group: "{{ matrix_user_groupname }}"
   with_items:
     - {path: "{{ matrix_client_schildichat_data_path }}", when: true}
-    - {path: "{{ matrix_client_schildichat_docker_src_files_path }}", when: "{{ matrix_client_schildichat_container_image_self_build }}"}
+    - {path: "{{ matrix_client_schildichat_container_src_files_path }}", when: "{{ matrix_client_schildichat_container_image_self_build }}"}
   when: "item.when | bool"
 
-- name: Ensure SchildiChat Web Docker image is pulled
+- name: Ensure SchildiChat Web container image is pulled
   community.docker.docker_image:
     name: "{{ matrix_client_schildichat_docker_image }}"
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
@@ -24,40 +24,40 @@
   delay: "{{ devture_playbook_help_container_retries_delay }}"
   until: result is not failed
 
-- name: Ensure SchildiChat Web repository is present on self-build
+- when: "matrix_client_schildichat_container_image_self_build | bool"
-  ansible.builtin.git:
+  block:
-    repo: "{{ matrix_client_schildichat_container_image_self_build_repo }}"
+    - name: Ensure SchildiChat Web repository is present on self-build
-    dest: "{{ matrix_client_schildichat_docker_src_files_path }}"
+      ansible.builtin.git:
-    version: "{{ matrix_client_schildichat_docker_image.split(':')[1] }}"
+        repo: "{{ matrix_client_schildichat_container_image_self_build_repo }}"
-    force: "yes"
+        dest: "{{ matrix_client_schildichat_container_src_files_path }}"
-  become: true
+        version: "{{ matrix_client_schildichat_container_image_self_build_version }}"
-  become_user: "{{ matrix_user_username }}"
+        force: "yes"
-  register: matrix_client_schildichat_git_pull_results
+      become: true
-  when: "matrix_client_schildichat_container_image_self_build | bool"
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_client_schildichat_git_pull_results
 
-# See:
+    # See:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
+    # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
-# - https://github.com/vector-im/schildichat-web/issues/19544 -- # Update (2023-12-15): 404
+    # - https://github.com/vector-im/schildichat-web/issues/19544 -- # Update (2023-12-15): 404
-- name: Patch webpack.config.js to support building on low-memory (<4G RAM) devices
+    - name: Patch webpack.config.js to support building on low-memory (<4G RAM) devices
-  ansible.builtin.lineinfile:
+      ansible.builtin.lineinfile:
-    path: "{{ matrix_client_schildichat_docker_src_files_path }}/webpack.config.js"
+        path: "{{ matrix_client_schildichat_container_src_files_path }}/element-web/webpack.config.js"
-    regexp: '(\s+)splitChunks: \{'
+        regexp: '(\s+)splitChunks: \{'
-    line: '\1splitChunks: { maxSize: 100000,'
+        line: '\1splitChunks: { maxSize: 100000,'
-    backrefs: true
+        backrefs: true
-    owner: root
+        owner: root
-    group: root
+        group: root
-    mode: '0644'
+        mode: '0644'
-  when: "matrix_client_schildichat_container_image_self_build | bool and matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled | bool"
+      when: "matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled | bool"
 
-- name: Ensure SchildiChat Web Docker image is built
+    - name: Ensure SchildiChat Web container image is built
-  ansible.builtin.command:
+      ansible.builtin.command:
-    cmd: |-
+        cmd: |-
-      {{ devture_systemd_docker_base_host_command_docker }} buildx build
+          {{ devture_systemd_docker_base_host_command_docker }} buildx build
-      --tag={{ matrix_client_schildichat_docker_image }}
+          --tag={{ matrix_client_schildichat_docker_image }}
-      --file={{ matrix_client_schildichat_docker_src_files_path }}/Dockerfile
+          --file={{ matrix_client_schildichat_container_src_files_path }}/Dockerfile
-      {{ matrix_client_schildichat_docker_src_files_path }}
+          {{ matrix_client_schildichat_container_src_files_path }}
-  changed_when: true
+      changed_when: true
-  when: matrix_client_schildichat_container_image_self_build | bool
 
 - name: Ensure SchildiChat Web configuration installed
   ansible.builtin.copy:

roles/custom/matrix-dimension/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_dimension_path_prefix: /
 # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens
 matrix_dimension_access_token: ""
 
-# Users in form: ['@user1:example.com', '@user2:example.com']
+# Users in form: ['@alice:example.com', '@bob:example.com']
 matrix_dimension_admins: []
 
 # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates

roles/custom/matrix-element-call/defaults/main.yml

@@ -0,0 +1,120 @@
+---
+# Enable or disable matrix-element-call deployment
+matrix_element_call_enabled: false
+
+matrix_element_call_scheme: https
+matrix_element_call_hostname: "call.{{ matrix_domain }}"
+
+# Base path configuration
+matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call"
+
+# Docker network configuration
+matrix_element_call_container_network: ''
+matrix_element_call_container_http_host_bind_port: ''
+matrix_element_call_container_additional_networks: []  # No additional networks by default
+
+# Docker images
+matrix_element_call_image: "ghcr.io/element-hq/element-call:latest"
+
+# Ports
+matrix_element_call_port: "8093"
+
+# Traefik Configuration for Element Call
+matrix_element_call_container_labels_traefik_enabled: true
+matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}"
+matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
+matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}"
+matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_element_call_container_labels_traefik_priority: 0
+matrix_element_call_container_labels_traefik_entrypoints: web-secure
+matrix_element_call_container_labels_traefik_tls: "{{ matrix_element_call_container_labels_traefik_entrypoints != 'web' }}"
+matrix_element_call_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom`
+matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_element_call_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {})
+  }}
+matrix_element_call_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_element_call_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_element_call_container_extra_arguments: []
+
+# Additional environment variables for the container
+matrix_element_call_environment_variables_additional: {}
+
+# List of systemd services that matrix-element-call.service depends on
+matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+matrix_element_call_http_header_xss_protection: ''
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+matrix_element_call_http_header_frame_options: ''
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+matrix_element_call_http_header_content_type_options: ''
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+matrix_element_call_http_header_content_security_policy: ''
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+matrix_element_call_http_header_content_permission_policy: ''
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+matrix_element_call_http_header_strict_transport_security: ''
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `matrix_element_call_content_permission_policy`
+matrix_element_call_floc_optout_enabled: false
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `matrix_element_call_http_header_strict_transport_security`
+matrix_element_call_hsts_preload_enabled: false
+
+# Enable or disable metrics collection
+matrix_element_call_metrics_enabled: false
+matrix_element_call_metrics_port: 2112

roles/custom/matrix-element-call/tasks/install.yml

@@ -0,0 +1,49 @@
+---
+# roles/custom/matrix-element-call/tasks/install.yml
+
+# Ensure Required Directories Exist
+- name: Ensure matrix-element-call paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_element_call_base_path }}"
+    - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element"  # Directory for element.json
+
+# Ensure Configuration Files are in Place
+- name: Ensure Element Call config.json is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/config.json.j2"
+    dest: "{{ matrix_element_call_base_path }}/config.json"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-element-call Docker labels file is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_element_call_base_path }}/labels"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+# Ensure Docker Images are Pulled
+- name: Ensure matrix-element-call Docker image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_element_call_container_image }}"
+    source: pull
+    force_source: "{{ matrix_element_call_container_image_force_pull }}"
+  register: element_call_image_result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: element_call_image_result is not failed
+
+# Systemd Services for Element Call
+- name: Ensure matrix-element-call systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
+    mode: 0644

roles/custom/matrix-element-call/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+# Main task file for matrix-element-call
+
+- tags:
+    - setup-all
+    - setup-element-call
+    - install-all
+    - install-element-call
+  block:
+    - when: matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-element-call
+  block:
+    - when: not matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-element-call/tasks/uninstall.yml

@@ -0,0 +1,21 @@
+---
+# Uninstall tasks for matrix-element-call
+
+- name: Stop and remove matrix-element-call container
+  community.docker.docker_container:
+    name: "matrix-element-call"
+    state: absent
+
+- name: Remove matrix-element-call systemd service
+  ansible.builtin.file:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
+    state: absent
+
+- name: Remove matrix-element-call configuration files
+  ansible.builtin.file:
+    path: "{{ matrix_element_call_base_path }}"
+    state: absent
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: true

roles/custom/matrix-element-call/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+# Validate configuration for matrix-element-call
+
+- name: Fail if required matrix-element-call settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_element_call_base_path', when: true}
+    - {'name': 'matrix_element_call_container_network', when: true}
+    - {'name': 'matrix_element_call_image', when: true}

roles/custom/matrix-element-call/templates/config.json.j2

@@ -0,0 +1,11 @@
+{
+  "default_server_config": {
+    "m.homeserver": {
+      "base_url": "{{ matrix_homeserver_url }}",
+      "server_name": "{{ matrix_domain }}"
+    }
+  },
+  "livekit": {
+    "livekit_service_url": "{{ matrix_livekit_jwt_service_public_url }}"
+  }
+}

roles/custom/matrix-element-call/templates/labels.j2

@@ -0,0 +1,46 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+# Network configuration for Traefik
+{% if matrix_element_call_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-element-call.loadbalancer.server.port=8080
+
+{% set middlewares = [] %}
+
+# Path prefix handling for Element Call
+{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }}
+{% if matrix_element_call_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-element-call.service=matrix-element-call
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }}
+{% if matrix_element_call_container_labels_traefik_tls %}
+traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_element_call_container_labels_additional_labels }}

roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Element Call Service
+{% for service in matrix_client_element_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+    --rm \
+    --name=matrix-element-call \
+    --log-driver=none \
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+    --network={{ matrix_element_call_container_network }} \
+    --mount type=bind,src={{ matrix_element_call_base_path }}/config.json,dst=/app/config.json,ro \
+    {% if matrix_element_call_container_http_host_bind_port %}
+    -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \
+    {% endif %}
+    --label-file={{ matrix_element_call_base_path }}/labels \
+    {% for arg in matrix_element_call_container_extra_arguments %}
+    {{ arg }} \
+    {% endfor %}
+    {{ matrix_element_call_image }}
+
+{% for network in matrix_element_call_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-element-call
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-element-call/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+matrix_element_call_public_url: "{{ matrix_element_call_scheme }}://{{ matrix_element_call_hostname }}"

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -0,0 +1,81 @@
+---
+
+# Project source code URL: https://github.com/element-hq/lk-jwt-service
+
+matrix_livekit_jwt_service_enabled: false
+
+matrix_livekit_jwt_service_scheme: https
+matrix_livekit_jwt_service_hostname: ""
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_base_path: "{{ matrix_base_data_path }}/livekit-jwt-service"
+
+matrix_livekit_jwt_service_container_network: ''
+
+matrix_livekit_jwt_service_container_http_host_bind_port: ''
+
+matrix_livekit_jwt_service_container_additional_networks: "{{ (matrix_livekit_jwt_service_container_additional_networks_auto + matrix_livekit_jwt_service_container_additional_networks_custom) | unique }}"
+matrix_livekit_jwt_service_container_additional_networks_auto: []
+matrix_livekit_jwt_service_container_additional_networks_custom: []
+
+# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
+matrix_livekit_jwt_service_version: latest-ci
+
+matrix_livekit_jwt_service_container_image_self_build: false
+matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
+matrix_livekit_jwt_service_container_repo_version: "{{ 'main' if matrix_livekit_jwt_service_version in ['latest', 'latest-ci'] else livekit_server_version }}"
+matrix_livekit_jwt_service_container_src_files_path: "{{ matrix_livekit_jwt_service_base_path }}/container-src"
+
+matrix_livekit_jwt_service_container_image: "{{ matrix_livekit_jwt_service_container_image_name_prefix }}element-hq/lk-jwt-service:{{ matrix_livekit_jwt_service_version }}"
+matrix_livekit_jwt_service_container_image_name_prefix: "{{ 'localhost/' if matrix_livekit_jwt_service_container_image_self_build else 'ghcr.io/' }}"
+matrix_livekit_jwt_service_container_image_force_pull: "{{ matrix_livekit_jwt_service_container_image.endswith(':latest') }}"
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: true
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_livekit_jwt_service_container_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_hostname: "{{ matrix_livekit_jwt_service_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/lk-jwt-service`).
+matrix_livekit_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_livekit_jwt_service_path_prefix }}"
+matrix_livekit_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_livekit_jwt_service_container_labels_traefik_hostname }}`){% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_livekit_jwt_service_container_labels_traefik_priority: 0
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: web-secure
+matrix_livekit_jwt_service_container_labels_traefik_tls: "{{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints != 'web' }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom`
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto: {}
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_livekit_jwt_service_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_livekit_jwt_service_container_extra_arguments: []
+
+# Controls the LK_JWT_PORT environment variable
+matrix_livekit_jwt_service_environment_variable_lk_jwt_port: 8080
+
+# Controls the LIVEKIT_KEY environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_key: ""
+
+# Controls the LIVEKIT_URL environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_url: ""
+
+# Controls the LIVEKIT_SECRET environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_secret: ""
+
+# Additional environment variables for the container
+matrix_livekit_jwt_service_environment_variables_additional: {}
+
+# List of systemd services that LiveKit JWT Service service depends on
+matrix_livekit_jwt_service_systemd_required_services_list: "{{ matrix_livekit_jwt_service_systemd_required_services_list_default + matrix_livekit_jwt_service_systemd_required_services_list_auto + matrix_livekit_jwt_service_systemd_required_services_list_custom }}"
+matrix_livekit_jwt_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_livekit_jwt_service_systemd_required_services_list_auto: []
+matrix_livekit_jwt_service_systemd_required_services_list_custom: []

roles/custom/matrix-livekit-jwt-service/tasks/install.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Ensure LiveKit JWT Service paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_livekit_jwt_service_base_path }}"
+
+- name: Ensure LiveKit JWT Service support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_livekit_jwt_service_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - env
+    - labels
+
+- name: Ensure LiveKit JWT Service container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_livekit_jwt_service_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_livekit_jwt_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_container_image_force_pull }}"
+  when: "not matrix_livekit_jwt_service_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: "matrix_livekit_jwt_service_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit JWT Service repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_livekit_jwt_service_container_repo }}"
+        version: "{{ matrix_livekit_jwt_service_container_repo_version }}"
+        dest: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_livekit_jwt_service_git_pull_results
+
+    - name: Ensure LiveKit JWT Service container image is built
+      community.docker.docker_image:
+        name: "{{ matrix_livekit_jwt_service_container_image }}"
+        source: build
+        force_source: "{{ matrix_livekit_jwt_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit JWT Service container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_livekit_jwt_service_container_network }}"
+    driver: bridge
+
+- name: Ensure LiveKit JWT Service systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-livekit-jwt-service.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+    mode: 0644

roles/custom/matrix-livekit-jwt-service/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-jwt-service
+    - install-all
+    - install-livekit-jwt-service
+  block:
+    - when: matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-livekit-jwt-service
+  block:
+    - when: not matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of LiveKit JWT Service systemd service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+  register: matrix_livekit_jwt_service_service_stat
+
+- when: matrix_livekit_jwt_service_service_stat.stat.exists | bool
+  block:
+    - name: Ensure LiveKit JWT Service systemd service is stopped
+      ansible.builtin.service:
+        name: matrix-livekit-jwt-service
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure LiveKit JWT Service systemd service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+        state: absent
+
+    - name: Ensure LiveKit JWT Service paths don't exist
+      ansible.builtin.file:
+        path: "{{ matrix_livekit_jwt_service_base_path }}"
+        state: absent

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Fail if required LiveKit JWT Service settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] | length == 0"
+  with_items:
+    - {'name': 'matrix_livekit_jwt_service_hostname', when: true}
+    - {'name': 'matrix_livekit_jwt_service_container_network', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true}

roles/custom/matrix-livekit-jwt-service/templates/env.j2

@@ -0,0 +1,7 @@
+LK_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port | int | to_json }}
+
+LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }}
+LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }}
+LIVEKIT_SECRET={{ matrix_livekit_jwt_service_environment_variable_livekit_secret }}
+
+{{ matrix_livekit_jwt_service_environment_variables_additional }}

roles/custom/matrix-livekit-jwt-service/templates/labels.j2

@@ -0,0 +1,48 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }}
+
+traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }}
+
+{% set middlewares = [] %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-livekit-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-livekit-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.rule={{ matrix_livekit_jwt_service_container_labels_traefik_rule }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.priority={{ matrix_livekit_jwt_service_container_labels_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.service=matrix-livekit-jwt-service
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.entrypoints={{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.matrix-livekit-jwt-service.tls={{ matrix_livekit_jwt_service_container_labels_traefik_tls | to_json }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_tls %}
+traefik.http.routers.matrix-livekit-jwt-service.tls.certResolver={{ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_livekit_jwt_service_container_labels_additional_labels }}

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix LiveKit JWT Service
+{% for service in matrix_livekit_jwt_service_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-jwt-service 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+    --rm \
+    --name=matrix-livekit-jwt-service \
+    --log-driver=none \
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+    --network={{ matrix_livekit_jwt_service_container_network }} \
+    {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
+    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} \
+    {% endif %}
+    --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
+    --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \
+    {{ matrix_livekit_jwt_service_container_image }}
+
+{% for network in matrix_livekit_jwt_service_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-livekit-jwt-service
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-jwt-service
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-livekit-jwt-service
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-livekit-jwt-service/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+matrix_livekit_jwt_service_public_url: "{{ matrix_livekit_jwt_service_scheme }}://{{ matrix_livekit_jwt_service_hostname }}"

roles/custom/matrix-livekit-server/defaults/main.yml

@@ -0,0 +1,211 @@
+---
+
+# Project source code URL: https://github.com/livekit/livekit
+
+livekit_server_enabled: false
+
+livekit_server_identifier: livekit-server
+
+livekit_server_uid: ''
+livekit_server_gid: ''
+
+livekit_server_base_path: "/{{ livekit_server_identifier }}"
+livekit_server_config_path: "{{ livekit_server_base_path }}/config"
+
+# renovate: datasource=docker depName=docker.io/livekit/livekit-server
+livekit_server_version: v1.8.0
+
+livekit_server_scheme: https
+livekit_server_hostname: ""
+livekit_server_path_prefix: /
+
+livekit_server_container_network: "{{ livekit_server_identifier }}"
+
+livekit_server_container_additional_networks: "{{ livekit_server_container_additional_networks_auto + livekit_server_container_additional_networks_custom }}"
+livekit_server_container_additional_networks_auto: []
+livekit_server_container_additional_networks_custom: []
+
+# Controls whether the LiveKit Server container exposes its RCT TCP port (`livekit_server_config_rtc_tcp_port`)
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
+livekit_server_container_rtc_tcp_host_bind_port: "{{ livekit_server_config_rtc_tcp_port if livekit_server_container_network != 'host' else '' }}"
+
+# Controls whether the LiveKit Server container exposes its RTC UDP port range and which interface to do it on.
+#
+# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
+# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
+#
+# The UDP port-range itself is specified using `livekit_server_config_rtc_port_range_start` and `livekit_server_config_rtc_port_range_end`.
+livekit_server_container_rtc_range_listen_interface: "{{ '' if livekit_server_container_network != 'host' else 'none' }}"
+
+livekit_server_container_image_self_build: false
+livekit_server_container_repo: "https://github.com/livekit/livekit.git"
+livekit_server_container_repo_version: "{{ 'main' if livekit_server_version == 'latest' else livekit_server_version }}"
+livekit_server_container_src_files_path: "{{ livekit_server_base_path }}/container-src"
+
+livekit_server_container_image: "{{ livekit_server_container_image_name_prefix }}livekit/livekit-server:{{ livekit_server_version }}"
+livekit_server_container_image_name_prefix: "{{ 'localhost/' if livekit_server_container_image_self_build else 'docker.io/' }}"
+livekit_server_container_image_force_pull: "{{ livekit_server_container_image.endswith(':latest') }}"
+
+livekit_server_container_labels_traefik_enabled: true
+livekit_server_container_labels_traefik_docker_network: "{{ livekit_server_container_network }}"
+livekit_server_container_labels_traefik_hostname: "{{ livekit_server_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
+livekit_server_container_labels_traefik_path_prefix: "{{ livekit_server_path_prefix }}"
+livekit_server_container_labels_traefik_rule: "Host(`{{ livekit_server_container_labels_traefik_hostname }}`){% if livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ livekit_server_container_labels_traefik_path_prefix }}`){% endif %}"
+livekit_server_container_labels_traefik_priority: 0
+livekit_server_container_labels_traefik_entrypoints: web-secure
+livekit_server_container_labels_traefik_tls: "{{ livekit_server_container_labels_traefik_entrypoints != 'web' }}"
+livekit_server_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `livekit_server_container_labels_traefik_additional_response_headers_custom`
+livekit_server_container_labels_traefik_additional_response_headers: "{{ livekit_server_container_labels_traefik_additional_response_headers_auto | combine(livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
+livekit_server_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': livekit_server_http_header_xss_protection} if livekit_server_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': livekit_server_http_header_frame_options} if livekit_server_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': livekit_server_http_header_content_type_options} if livekit_server_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': livekit_server_http_header_content_security_policy} if livekit_server_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': livekit_server_http_header_content_permission_policy} if livekit_server_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': livekit_server_http_header_strict_transport_security} if livekit_server_http_header_strict_transport_security and livekit_server_container_labels_traefik_tls else {})
+  }}
+livekit_server_container_labels_traefik_additional_response_headers_custom: {}
+
+# livekit_server_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# livekit_server_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+livekit_server_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+livekit_server_container_extra_arguments: []
+
+# Additional environment variables for the container
+livekit_server_environment_variables_additional: {}
+
+# List of systemd services that LiveKit Server service depends on
+livekit_server_systemd_required_services_list: "{{ livekit_server_systemd_required_services_list_default + livekit_server_systemd_required_services_list_auto + livekit_server_systemd_required_services_list_custom }}"
+livekit_server_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+livekit_server_systemd_required_services_list_auto: []
+livekit_server_systemd_required_services_list_custom: []
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+livekit_server_http_header_xss_protection: ''
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+livekit_server_http_header_frame_options: ''
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+livekit_server_http_header_content_type_options: ''
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+livekit_server_http_header_content_security_policy: ''
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+livekit_server_http_header_content_permission_policy: ''
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+livekit_server_http_header_strict_transport_security: ''
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `livekit_server_content_permission_policy`
+livekit_server_floc_optout_enabled: false
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `livekit_server_http_header_strict_transport_security`
+livekit_server_hsts_preload_enabled: true
+
+# Holds the final LiveKit Server configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `livekit_server_configuration_yaml` or `livekit_server_configuration_extension_yaml`.
+livekit_server_configuration: "{{ livekit_server_configuration_yaml | from_yaml | combine(livekit_server_configuration_extension, recursive=True) }}"
+
+# Default LiveKit Server configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `livekit_server_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+livekit_server_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+livekit_server_configuration_extension_yaml: |
+  # Your custom YAML configuration for LiveKit Server goes here.
+  # This configuration extends the default starting configuration (`livekit_server_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `livekit_server_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # logging:
+  #   level: debug
+
+livekit_server_configuration_extension: "{{ livekit_server_configuration_extension_yaml | from_yaml if livekit_server_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Controls the `port` configuration property.
+livekit_server_config_port: 7880
+
+# Controls the `rtc.tcp_port` configuration property
+livekit_server_config_rtc_tcp_port: 7881
+
+# Controls the `rtc.port_range_start` configuration property
+livekit_server_config_rtc_port_range_start: 50100
+
+# Controls the `rtc.port_range_end` configuration property
+livekit_server_config_rtc_port_range_end: 50120
+
+# Controls the `rtc.use_external_ip` configuration property.
+# When set to true, attempts to discover the host's public IP via STUN.
+# This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one.
+livekit_server_config_rtc_use_external_ip: true
+
+# Controls the `keys` configuration property.
+livekit_server_config_keys: "{{ livekit_server_config_keys_auto | combine(livekit_server_config_keys_custom, recursive=True) }}"
+livekit_server_config_keys_auto: {}
+livekit_server_config_keys_custom: {}
+
+# Controls the `logging.level` configuration property.
+# Known values: debug, info, warn, error
+livekit_server_config_logging_level: info
+
+# Controls the `logging.pion_level` configuration property
+livekit_server_config_logging_pion_level: error
+
+# Controls the `logging.json` configuration property.
+# When set to true, emits json fields.
+livekit_server_config_logging_json: false
+
+# Controls the `logging.sample` configuration property.
+# For production setups, enables sampling algorithm.
+# See: https://github.com/uber-go/zap/blob/master/FAQ.md#why-sample-application-logs
+livekit_server_config_logging_sample: false

roles/custom/matrix-livekit-server/tasks/install.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Ensure LiveKit Server paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+  with_items:
+    - {path: "{{ livekit_server_base_path }}", when: true}
+    - {path: "{{ livekit_server_config_path }}", when: true}
+    - {path: "{{ livekit_server_container_src_files_path }}", when: "{{ livekit_server_container_image_self_build }}"}
+  when: "item.when | bool"
+
+- name: Ensure LiveKit Server configuration installed
+  ansible.builtin.copy:
+    content: "{{ livekit_server_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ livekit_server_config_path }}/config.yaml"
+    mode: 0640
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+
+- name: Ensure LiveKit Server labels file installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ livekit_server_base_path }}/labels"
+    mode: 0640
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+
+- name: Ensure LiveKit Server container image is pulled
+  community.docker.docker_image:
+    name: "{{ livekit_server_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ livekit_server_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_container_image_force_pull }}"
+  when: "not livekit_server_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: "livekit_server_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit Server repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ livekit_server_container_repo }}"
+        version: "{{ livekit_server_container_repo_version }}"
+        dest: "{{ livekit_server_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: livekit_server_git_pull_results
+
+    - name: Ensure LiveKit Server container image is built
+      community.docker.docker_image:
+        name: "{{ livekit_server_container_image }}"
+        source: build
+        force_source: "{{ livekit_server_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ livekit_server_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit Server container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ livekit_server_container_network }}"
+    driver: bridge
+
+- name: Ensure LiveKit Server systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/livekit-server.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+    mode: 0644

roles/custom/matrix-livekit-server/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-livekit-server
+    - install-all
+    - install-livekit-server
+  block:
+    - when: livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-livekit-server
+  block:
+    - when: not livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-livekit-server/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of LiveKit Server service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+  register: livekit_server_service_stat
+
+- when: livekit_server_service_stat.stat.exists | bool
+  block:
+    - name: Ensure LiveKit Server is stopped
+      ansible.builtin.service:
+        name: "{{ livekit_server_identifier }}"
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure LiveKit Server systemd service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+        state: absent
+
+    - name: Ensure LiveKit Server paths don't exist
+      ansible.builtin.file:
+        path: "{{ livekit_server_base_path }}"
+        state: absent

roles/custom/matrix-livekit-server/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Fail if required LiveKit Server settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] | length == 0"
+  with_items:
+    - {'name': 'livekit_server_hostname', when: true}
+    - {'name': 'livekit_server_identifier', when: true}
+    - {'name': 'livekit_server_uid', when: true}
+    - {'name': 'livekit_server_gid', when: true}

roles/custom/matrix-livekit-server/templates/config.yaml.j2

@@ -0,0 +1,27 @@
+port: {{ livekit_server_config_port | int | to_json }}
+
+bind_addresses:
+  - "0.0.0.0"
+
+rtc:
+  tcp_port: {{ livekit_server_config_rtc_tcp_port | int | to_json }}
+  port_range_start: {{ livekit_server_config_rtc_port_range_start | int | to_json }}
+  port_range_end: {{ livekit_server_config_rtc_port_range_end | int | to_json }}
+  use_external_ip: {{ livekit_server_config_rtc_use_external_ip | to_json }}
+
+turn:
+  enabled: false
+  domain: localhost
+  cert_file: ""
+  key_file: ""
+  tls_port: 5349
+  udp_port: 443
+  external_tls: true
+
+keys: {{ livekit_server_config_keys | to_json }}
+
+logging:
+  level: {{ livekit_server_config_logging_level | to_json }}
+  pion_level: {{ livekit_server_config_logging_pion_level | to_json }}
+  json: {{ livekit_server_config_logging_json | to_json }}
+  sample: {{ livekit_server_config_logging_sample | to_json }}

roles/custom/matrix-livekit-server/templates/labels.j2

@@ -0,0 +1,49 @@
+{% if livekit_server_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if livekit_server_container_labels_traefik_docker_network %}
+traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.{{ livekit_server_identifier }}.loadbalancer.server.port={{ livekit_server_config_port }}
+
+{% set middlewares = [] %}
+
+{% if livekit_server_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + [livekit_server_identifier + '-server-slashless-redirect'] %}
+
+traefik.http.middlewares.{{ livekit_server_identifier }}-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + [livekit_server_identifier + '-strip-prefix'] %}
+{% endif %}
+
+{% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + [livekit_server_identifier + '-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.rule={{ livekit_server_container_labels_traefik_rule }}
+
+{% if livekit_server_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.{{ livekit_server_identifier }}.priority={{ livekit_server_container_labels_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.service={{ livekit_server_identifier }}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.{{ livekit_server_identifier }}.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.{{ livekit_server_identifier }}.tls={{ livekit_server_container_labels_traefik_tls | to_json }}
+{% if livekit_server_container_labels_traefik_tls %}
+traefik.http.routers.{{ livekit_server_identifier }}.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ livekit_server_container_labels_additional_labels }}

roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=LiveKit Server
+{% for service in livekit_server_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+	--rm \
+	--name={{ livekit_server_identifier }} \
+	--log-driver=none \
+	--user={{ livekit_server_uid }}:{{ livekit_server_gid }} \
+	--cap-drop=ALL \
+	--network={{ livekit_server_container_network }} \
+	{% if livekit_server_container_rtc_tcp_host_bind_port != '' %}
+	-p {{ livekit_server_container_rtc_tcp_host_bind_port }}:{{ livekit_server_config_rtc_tcp_port }} \
+	{% endif %}
+	{% if livekit_server_container_rtc_range_listen_interface is not in [none, 'none'] %}
+	-p {{ livekit_server_container_rtc_range_listen_interface }}{{ ':' if livekit_server_container_rtc_range_listen_interface else '' }}{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}:{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}/udp \
+	{% endif %}
+	--mount type=bind,src={{ livekit_server_config_path }}/config.yaml,dst=/livekit-config.yaml,ro \
+	--label-file={{ livekit_server_base_path }}/labels \
+	{{ livekit_server_container_image }} \
+	--dev --config /livekit-config.yaml
+
+{% for network in livekit_server_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ livekit_server_identifier }}
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ livekit_server_identifier }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier={{ livekit_server_identifier }}
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-livekit-server/vars/main.yml

@@ -0,0 +1,3 @@
+livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}"
+
+livekit_server_websocket_container_url: "ws://{{ livekit_server_identifier }}:{{ livekit_server_config_port}}"

roles/custom/matrix-static-files/defaults/main.yml

@@ -15,6 +15,7 @@ matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"
 matrix_static_files_public_path: "{{ matrix_static_files_base_path }}/public"
 matrix_static_files_public_well_known_path: "{{ matrix_static_files_public_path }}/.well-known"
 matrix_static_files_public_well_known_matrix_path: "{{ matrix_static_files_public_well_known_path }}/matrix"
+matrix_static_files_public_well_known_element_path: "{{ matrix_static_files_public_well_known_path }}/element"
 
 # List of systemd services that matrix-static-files.service depends on
 matrix_static_files_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
@@ -203,6 +204,16 @@ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin: "{{ matri
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: {}
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_custom: {}
 
+# Controls whether `org.matrix.msc4143.rtc_foci`-related entries should be added to the client well-known.
+# By default, if there are entries in `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci`, we show them (by enabling this).
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | default({}) | dict2items | length > 0 }}"
+
+# Controls the org.matrix.msc4143.rtc_foci property in the /.well-known/matrix/client file.
+# See `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled`
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto | combine(matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom, recursive=True) }}"
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: {}
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom: {}
+
 # Default /.well-known/matrix/client configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -350,6 +361,56 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f
 ########################################################################
 
 
+########################################################################
+#                                                                      #
+# Related to /.well-known/element/element.json                         #
+#                                                                      #
+########################################################################
+
+# Controls whether a `/.well-known/element/element.json` file is generated and used at all.
+matrix_static_files_file_element_element_json_enabled: true
+
+# Controls the call.widget_url property in the /.well-known/element/element.json file
+matrix_static_files_file_element_element_json_property_call_widget_url: ''
+
+# Default /.well-known/element/element.json configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_static_files_file_matrix_support_configuration_extension_json`)
+# or completely replace this variable with your own template.
+matrix_static_files_file_element_element_json_configuration_json: "{{ lookup('template', 'templates/public/.well-known/element/element.json.j2') }}"
+
+# Your custom JSON configuration for /.well-known/element/element.json should go to `matrix_static_files_file_element_element_json_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_static_files_file_matrix_support_configuration_extension_json`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_static_files_file_matrix_support_configuration_json`.
+#
+# Example configuration extension follows:
+#
+# matrix_static_files_file_element_element_json_configuration_extension_json: |
+#   {
+#     "call": {
+#       "url": "value"
+#     }
+#   }
+matrix_static_files_file_element_element_json_configuration_extension_json: '{}'
+
+matrix_static_files_file_element_element_json_configuration_extension: "{{ matrix_static_files_file_element_element_json_configuration_extension_json | from_json if matrix_static_files_file_element_element_json_configuration_extension_json | from_json is mapping else {} }}"
+
+# Holds the final /.well-known/matrix/support configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_static_files_file_element_element_json_configuration_json` or `matrix_static_files_file_element_element_json_configuration_extension_json`.
+matrix_static_files_file_element_element_json_configuration: "{{ matrix_static_files_file_element_element_json_configuration_json | combine(matrix_static_files_file_element_element_json_configuration_extension, recursive=True) }}"
+
+########################################################################
+#                                                                      #
+# /Related to /.well-known/element/element.json                        #
+#                                                                      #
+########################################################################
+
+
 ########################################################################
 #                                                                      #
 # Related to index.html                                                #

roles/custom/matrix-static-files/tasks/install.yml

@@ -2,17 +2,19 @@
 
 - name: Ensure matrix-static-files paths exist
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
   with_items:
-    - "{{ matrix_static_files_base_path }}"
+    - {path: "{{ matrix_static_files_base_path }}", when: true}
-    - "{{ matrix_static_files_config_path }}"
+    - {path: "{{ matrix_static_files_config_path }}", when: true}
-    - "{{ matrix_static_files_public_path }}"
+    - {path: "{{ matrix_static_files_public_path }}", when: true}
-    - "{{ matrix_static_files_public_well_known_path }}"
+    - {path: "{{ matrix_static_files_public_well_known_path }}", when: true}
-    - "{{ matrix_static_files_public_well_known_matrix_path }}"
+    - {path: "{{ matrix_static_files_public_well_known_matrix_path }}", when: true}
+    - {path: "{{ matrix_static_files_public_well_known_element_path }}", when: true}
+  when: "item.when | bool"
 
 - name: Ensure matrix-static-files is configured
   ansible.builtin.template:
@@ -52,6 +54,10 @@
       dest: "{{ matrix_static_files_public_well_known_matrix_path }}/support"
       when: "{{ matrix_static_files_file_matrix_support_enabled }}"
 
+    - content: "{{ matrix_static_files_file_element_element_json_configuration | to_nice_json }}"
+      dest: "{{ matrix_static_files_public_well_known_element_path }}/element.json"
+      when: "{{ matrix_static_files_file_element_element_json_enabled }}"
+
     # This one will not be deleted if `matrix_static_files_file_index_html_enabled` flips to `false`.
     # See the comment for `matrix_static_files_file_index_html_enabled` to learn why.
     - content: "{{ matrix_static_files_file_index_html_template }}"
@@ -70,6 +76,12 @@
     state: absent
   when: "not matrix_static_files_file_matrix_support_enabled | bool"
 
+- name: Ensure /.well-known/element/element.json file deleted if not enabled
+  ansible.builtin.file:
+    path: "{{ matrix_static_files_public_well_known_element_path }}/element.json"
+    state: absent
+  when: "not matrix_static_files_file_element_element_json_enabled | bool"
+
 - name: Ensure matrix-static-files container image is pulled
   community.docker.docker_image:
     name: "{{ matrix_static_files_container_image }}"

roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2

@@ -0,0 +1,7 @@
+{
+	{% if matrix_static_files_file_element_element_json_property_call_widget_url %}
+	"call": {
+		"widget_url": {{ matrix_static_files_file_element_element_json_property_call_widget_url | to_json }}
+	}
+	{% endif %}
+}

roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2

@@ -57,4 +57,7 @@
 	{% if matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_enabled %},
 	"cc.etke.synapse-admin": {{ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin | to_json }}
 	{% endif %}
+	{% if matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled %},
+	"org.matrix.msc4143.rtc_foci": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | to_json }}
+	{% endif %}
 }

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -14,7 +14,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.10.3-etke31
+matrix_synapse_admin_version: v0.10.3-etke32
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else 'ghcr.io/' }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

roles/custom/matrix-synapse/defaults/main.yml

@@ -56,7 +56,7 @@ matrix_synapse_container_image_customizations_auto_accept_invite_installation_en
 #
 # Example usage:
 #
-# ```yml
+# ```yaml
 # matrix_synapse_container_image_customizations_templates_enabled: true
 # # The templates are expected to be in a `templates/` subdirectory in
 # matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates/

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -2846,8 +2846,8 @@ opentracing:
     # By default, the list is empty.
     #
     #force_tracing_for_users:
-    #  - "@user1:server_name"
+    #  - "@alice:server_name"
-    #  - "@user2:server_name"
+    #  - "@bob:server_name"
 
     # Jaeger can be configured to sample traces at different rates.
     # All configuration options provided by Jaeger can be set here.

roles/custom/matrix-user-creator/vars/main.yml

@@ -18,7 +18,7 @@
 #     initial_password: some-password
 #     initial_type: admin
 #
-#   - username: john
+#   - username: alice
 #     initial_password: some-password
 #     initial_type: user
 #

setup.yml

@@ -133,6 +133,9 @@
     - custom/matrix-coturn
     - custom/matrix-media-repo
     - custom/matrix-pantalaimon
+    - custom/matrix-element-call
+    - custom/matrix-livekit-server
+    - custom/matrix-livekit-jwt-service
 
     - role: galaxy/postgres_backup