Merge 3ca0f4221f9d0619c0ec09c861c49f9072b00d20 into d48890c7a2035e711b58c7370a3e7f85c228f9f3

Replace the warning emoji in text style (U+26A0 FE0E) to emoji style (U+26A0 FE0F)

docs/configuring-playbook-email.md

@@ -6,7 +6,7 @@ The email server would attempt to deliver emails directly to their final destina
 
 By default, emails are sent from `matrix@matrix.example.com`, as specified by the `exim_relay_sender_address` playbook variable.
 
-⚠ **Warning**: On some cloud providers (Google Cloud, etc.), [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so sending email directly from your server is not possible. You will need to [relay email through another SMTP server](#relaying-email-through-another-smtp-server).
+⚠️ **Warning**: On some cloud providers (Google Cloud, etc.), [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so sending email directly from your server is not possible. You will need to [relay email through another SMTP server](#relaying-email-through-another-smtp-server).
 
 💡 To improve deliverability, we recommend [relaying email through another SMTP server](#relaying-email-through-another-smtp-server) anyway.
 

docs/configuring-playbook-fluffygate.md

@@ -0,0 +1,147 @@
+# Setting up Fluffygate (optional)
+
+The playbook can install and configure [Fluffygate](https://github.com/krille-chan/fluffygate), a simple Push Gateway for Fluffychat.
+
+See the project's documentation to learn what it does and why it might be useful to you.
+
+**Note**: most people don't need to install their own gateway. This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves, as you'll need access to your own Firebase/FCM and APNS credentials.
+
+## Adjusting the playbook configuration
+
+To enable Fluffygate, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_fluffygate_enabled: true
+
+# Basic app information
+matrix_fluffygate_app_name: "Your App Name"
+matrix_fluffygate_app_website: "https://example.com"
+
+# Firebase/FCM configuration (for Android / IOS)
+matrix_fluffygate_firebase_project: "your-firebase-project-id"
+matrix_fluffygate_firebase_key: |
+  {
+    # Your Firebase service account key JSON content
+  }
+
+# Notification settings
+matrix_fluffygate_notification_title: "{count} new messages"
+matrix_fluffygate_notification_body: "{body}"
+
+# Android specific notification options
+matrix_fluffygate_android_notification_options:
+  priority: high
+  notification:
+    sound: "default"
+    icon: "notifications_icon"
+    tag: "default_notification"
+
+# APNS specific notification options (for iOS)
+matrix_fluffygate_apns_notification_options:
+  headers:
+    apns-priority: "10"
+  payload:
+    aps:
+      sound: "default"
+      badge: "{count}"
+      mutable-content: 1
+```
+
+For a complete list of available configuration options, see the `defaults/main.yml` file in the role.
+
+### Required Configuration
+
+The following settings are required and must be defined:
+- `matrix_fluffygate_hostname`
+- `matrix_fluffygate_path_prefix`
+- `matrix_fluffygate_container_network`
+- `matrix_fluffygate_app_name`
+- `matrix_fluffygate_app_website`
+
+### Adjusting the Fluffygate URL
+
+By default, this playbook installs Fluffygate at the root path (`/`) of the configured hostname. You can customize both the hostname and path prefix using these variables:
+
+```yaml
+# Configure the hostname where Fluffygate will be served
+matrix_fluffygate_hostname: "push.example.com"
+
+# Configure a custom path prefix (must either be '/' or not end with a slash)
+matrix_fluffygate_path_prefix: /push
+```
+
+### Traefik Integration
+
+Fluffygate includes built-in support for Traefik as a reverse proxy. The following settings control this integration:
+
+```yaml
+# Enable/disable Traefik labels
+matrix_fluffygate_container_labels_traefik_enabled: true
+
+# Configure the Traefik network
+matrix_fluffygate_container_labels_traefik_docker_network: "{{ matrix_fluffygate_container_network }}"
+
+# Additional Traefik configuration
+matrix_fluffygate_container_labels_traefik_rule: "Host(`{{ matrix_fluffygate_container_labels_traefik_hostname }}`)"
+matrix_fluffygate_container_labels_traefik_priority: 0
+matrix_fluffygate_container_labels_traefik_entrypoints: web-secure
+```
+
+## Adjusting DNS records
+
+You will need to configure your DNS records to point the Fluffygate hostname to your server. This typically involves creating either:
+- an A record pointing to your server's IPv4 address
+- a CNAME record pointing to your server's hostname
+
+## Installing
+
+After configuring the playbook and adjusting your DNS records, run the installation command:
+
+```bash
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+To install only Fluffygate, you can use:
+
+```bash
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-fluffygate,start
+```
+
+## Usage
+
+To make use of your Fluffygate installation:
+
+1. Configure your Matrix client application to use your Fluffygate URL as the push gateway
+2. Ensure your app uses the same Firebase/FCM credentials for Android notifications
+3. Ensure your app uses the same APNS certificates/credentials for iOS notifications
+4. Configure the notification templates and options as needed through the playbook variables
+
+### Debugging
+
+If you need to troubleshoot issues:
+
+1. Enable debug logs by setting:
+    ```yaml
+    matrix_fluffygate_debug_logs: true
+    ```
+
+2. Check the container logs:
+    ```bash
+    docker logs matrix-fluffygate
+    ```
+
+## Uninstalling
+
+To remove Fluffygate, first disable it in your `inventory/host_vars/matrix.example.com/vars.yml`:
+
+```yaml
+matrix_fluffygate_enabled: false
+```
+
+Then run the playbook:
+
+```bash
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-fluffygate,start
+```
+
+This will stop the service and remove all associated files.

docs/configuring-playbook-matrix-authentication-service.md

@@ -36,9 +36,9 @@ Below, we'll try to **highlight some potential reasons for switching** to Matrix
 
 ## Prerequisites
 
-- ⚠ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
+- ⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
 
-- ⚠ **email sending** configured (see [Adjusting email-sending settings](./configuring-playbook-email.md)), because **Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user** going through the new SSO-based login flow. It's also possible to [work around email deliverability issues](#working-around-email-deliverability-issues) if your email configuration is not working.
+- ⚠️ **email sending** configured (see [Adjusting email-sending settings](./configuring-playbook-email.md)), because **Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user** going through the new SSO-based login flow. It's also possible to [work around email deliverability issues](#working-around-email-deliverability-issues) if your email configuration is not working.
 
 - ❌ **disabling all password providers** for Synapse (things like [shared-secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-playbook-ldap-auth.md), etc.) More details about this are available in the [Expectations](#expectations) section below.
 
@@ -62,17 +62,17 @@ This section details what you can expect when switching to the Matrix Authentica
 
 - ❌ **Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting).
 
-- ⚠ **You will need to have email sending configured** (see [Adjusting email-sending settings](./configuring-playbook-email.md)), because **Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user** going through the new SSO-based login flow. It's also possible to [work around email deliverability issues](#working-around-email-deliverability-issues) if your email configuration is not working.
+- ⚠️ **You will need to have email sending configured** (see [Adjusting email-sending settings](./configuring-playbook-email.md)), because **Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user** going through the new SSO-based login flow. It's also possible to [work around email deliverability issues](#working-around-email-deliverability-issues) if your email configuration is not working.
 
-- ⚠ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
+- ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
 
-- ⚠ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) does not currently seem to preserve the "admin" flag for users (as found in the Synapse database). All users are imported as non-admin - see [element-hq/matrix-authentication-service#3440](https://github.com/element-hq/matrix-authentication-service/issues/3440). You may need update the Matrix Authentication Service's database manually and adjust the `can_request_admin` column in the `users` table to `true` for users that need to be administrators (e.g. `UPDATE users SET can_request_admin = true WHERE username = 'someone';`)
+- ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) does not currently seem to preserve the "admin" flag for users (as found in the Synapse database). All users are imported as non-admin - see [element-hq/matrix-authentication-service#3440](https://github.com/element-hq/matrix-authentication-service/issues/3440). You may need update the Matrix Authentication Service's database manually and adjust the `can_request_admin` column in the `users` table to `true` for users that need to be administrators (e.g. `UPDATE users SET can_request_admin = true WHERE username = 'someone';`)
 
-- ⚠ Delegating user authentication to MAS causes **your Synapse server to be completely dependant on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
+- ⚠️ Delegating user authentication to MAS causes **your Synapse server to be completely dependant on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
 
-- ⚠ If you've got [OIDC configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on), you will need to migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 configuration](#upstream-oauth2-configuration).
+- ⚠️ If you've got [OIDC configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on), you will need to migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 configuration](#upstream-oauth2-configuration).
 
-- ⚠ A [compatibility layer](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer) is installed - all `/_matrix/client/*/login` (etc.) requests will be routed to MAS instead of going to the homeserver. This is done both publicly (e.g. `https://matrix.example.com/_matrix/client/*/login`) and on the internal Traefik entrypoint (e.g. `https://matrix-traefik:8008/_matrix/client/*/login`) which helps addon services reach the homeserver's Client-Server API. You typically don't need to do anything to make this work, but it's good to be aware of it, especially if you have a [custom webserver setup](./configuring-playbook-own-webserver.md).
+- ⚠️ A [compatibility layer](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer) is installed - all `/_matrix/client/*/login` (etc.) requests will be routed to MAS instead of going to the homeserver. This is done both publicly (e.g. `https://matrix.example.com/_matrix/client/*/login`) and on the internal Traefik entrypoint (e.g. `https://matrix-traefik:8008/_matrix/client/*/login`) which helps addon services reach the homeserver's Client-Server API. You typically don't need to do anything to make this work, but it's good to be aware of it, especially if you have a [custom webserver setup](./configuring-playbook-own-webserver.md).
 
 - ✅ Your **existing login sessions will continue to work** (you won't get logged out). Migration will require a bit of manual work and minutes of downtime, but it's not too bad.
 
@@ -268,9 +268,9 @@ matrix_authentication_service_config_upstream_oauth2_providers:
 
 💡 Refer to the [`upstream_oauth2.providers` setting](https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers) for the most up-to-date schema and example for providers. The value shown above here may be out of date.
 
-⚠ The syntax for existing [OIDC providers configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on) is slightly different, so you will need to adjust your configuration when switching from Synapse OIDC to MAS upstream OAuth2.
+⚠️ The syntax for existing [OIDC providers configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on) is slightly different, so you will need to adjust your configuration when switching from Synapse OIDC to MAS upstream OAuth2.
 
-⚠ When [migrating an existing homeserver](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) which contains OIDC-sourced users, you will need to:
+⚠️ When [migrating an existing homeserver](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) which contains OIDC-sourced users, you will need to:
 
 - [Configure upstream OIDC provider mapping for syn2mas](#configuring-upstream-oidc-provider-mapping-for-syn2mas)
 - go through the [migrating an existing homeserver](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) process

docs/configuring-playbook-synapse-admin.md

@@ -22,7 +22,7 @@ matrix_synapse_admin_enabled: true
 
 By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/etkecc/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable.
 
-⚠ **Warning**: If you're using [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) (MAS) for authentication, you will be able to [log into synapse-admin with an access token](https://github.com/etkecc/synapse-admin/pull/58), but certain synapse-admin features (especially those around user management) will be limited or not work at all.
+⚠️ **Warning**: If you're using [Matrix Authentication Service](./configuring-playbook-matrix-authentication-service.md) (MAS) for authentication, you will be able to [log into synapse-admin with an access token](https://github.com/etkecc/synapse-admin/pull/58), but certain synapse-admin features (especially those around user management) will be limited or not work at all.
 
 ### Adjusting the Synapse Admin URL
 

docs/howto-srv-server-delegation.md

@@ -91,7 +91,7 @@ By default, Coturn is configured to wait on the certificate for the `matrix.` su
 
 We also need to indicate to Coturn where the wildcard certificate is.
 
-**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`).
+**⚠️ WARNING ⚠️** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`).
 
 This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically.
 

docs/maintenance-synapse.md

@@ -65,7 +65,7 @@ docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer
 
 You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`)
 
-⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations.
+⚠️️ Be **very careful** with this, there is **no undo** for impromptu DB operations.
 
 ## Make Synapse faster
 

docs/registering-users.md

@@ -38,7 +38,7 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-usern
 # Example: `ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=john password=secret-password admin=yes' --tags=register-user`
 ```
 
-⚠ **Warning**: If you're registering users against Matrix Authentication Service, do note that it [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information.
+⚠️ **Warning**: If you're registering users against Matrix Authentication Service, do note that it [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information.
 
 ### Registering users manually for Synapse
 
@@ -76,14 +76,14 @@ This `register-user` script actually invokes the `mas-cli manage register-user`
 /matrix/matrix-authentication-service/bin/mas-cli manage register-user --help
 ```
 
-⚠ **Warning**: Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information.
+⚠️ **Warning**: Matrix Authentication Service [still insists](https://github.com/element-hq/matrix-authentication-service/issues/1505) on having a verified email address for each user. Upon a user's first login, they will be asked to confirm their email address. This requires that email sending is [configured](./configuring-playbook-email.md). You can also consult the [Working around email deliverability issues](./configuring-playbook-matrix-authentication-service.md#working-around-email-deliverability-issues) section for more information.
 
 
 ## Managing users via a Web UI
 
 To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).
 
-⚠ **Warning**: If you're using [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), note that user management via synapse-admin is not fully working yet. See the [Expectations](configuring-playbook-matrix-authentication-service.md#expectations) section for more information.
+⚠️ **Warning**: If you're using [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md), note that user management via synapse-admin is not fully working yet. See the [Expectations](configuring-playbook-matrix-authentication-service.md#expectations) section for more information.
 
 
 ## Letting certain users register on your private server

roles/custom/matrix-fluffygate/defaults/main.yml

@@ -0,0 +1,137 @@
+---
+
+# Fluffygate is a reference Push Gateway for Matrix.
+# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app.
+# Project source code URL: https://github.com/matrix-org/fluffygate
+matrix_fluffygate_enabled: true
+matrix_fluffygate_identifier: 'matrix-fluffygate'
+
+# App information
+matrix_fluffygate_app_name: "Fluffygate"
+matrix_fluffygate_app_website: "https://example.com"
+matrix_fluffygate_debug_logs: false
+
+# Notification settings
+matrix_fluffygate_notification_title: "{count} new messages"
+matrix_fluffygate_notification_body: "{body}"
+
+# Android notification options
+matrix_fluffygate_android_notification_options:
+  priority: high
+  notification:
+    sound: "default"
+    icon: "notifications_icon"
+    tag: "default_notification"
+
+# APNS notification options
+matrix_fluffygate_apns_notification_options:
+  headers:
+    apns-priority: "10"
+  payload:
+    aps:
+      sound: "default"
+      badge: "{count}"
+      mutable-content: 1
+
+matrix_fluffygate_firebase_key: ''  # JSON key file contents
+matrix_fluffygate_firebase_project: ''  # Firebase project ID
+
+# The hostname at which Fluffygate is served.
+matrix_fluffygate_hostname: ''
+
+# The path at which Fluffygate is exposed.
+# This value must either be `/` or not end with a slash (e.g. `/fluffygate`).
+matrix_fluffygate_path_prefix: /
+
+# renovate: datasource=docker depName=matrixdotorg/fluffygate
+matrix_fluffygate_version: 1.0.3
+
+matrix_fluffygate_base_path: "{{ matrix_base_data_path }}/fluffygate"
+matrix_fluffygate_config_path: "{{ matrix_fluffygate_base_path }}/config"
+matrix_fluffygate_data_path: "{{ matrix_fluffygate_base_path }}/data"
+
+# List of systemd services that matrix-fluffygate.service depends on.
+matrix_fluffygate_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+
+# List of systemd services that matrix-fluffygate.service wants
+matrix_fluffygate_systemd_wanted_services_list: []
+
+matrix_fluffygate_docker_image: "{{ matrix_fluffygate_docker_image_registry_prefix }}djangoflow/fluffygate:{{ matrix_fluffygate_docker_image_tag }}"
+matrix_fluffygate_docker_image_tag: "{{ matrix_fluffygate_version }}"
+matrix_fluffygate_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}"
+matrix_fluffygate_docker_image_force_pull: "{{ matrix_fluffygate_docker_image.endswith(':latest') }}"
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_fluffygate_container_network: "{{ traefik_container_network }}"
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to another reverse proxy, which runs in a different container network.
+matrix_fluffygate_container_additional_networks: []
+
+# Controls whether the matrix-fluffygate container exposes its HTTP port (tcp/6000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:6000"), or empty string to not expose.
+matrix_fluffygate_container_http_host_bind_port: ''
+
+# matrix_fluffygate_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_fluffygate_container_labels_additional_labels`.
+matrix_fluffygate_container_labels_traefik_enabled: true
+matrix_fluffygate_container_labels_traefik_docker_network: "{{ matrix_fluffygate_container_network }}"
+matrix_fluffygate_container_labels_traefik_hostname: "{{ matrix_fluffygate_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/fluffygate`).
+matrix_fluffygate_container_labels_traefik_path_prefix: "{{ matrix_fluffygate_path_prefix }}"
+matrix_fluffygate_container_labels_traefik_rule: "Host(`{{ matrix_fluffygate_container_labels_traefik_hostname }}`){% if matrix_fluffygate_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_fluffygate_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_fluffygate_container_labels_traefik_priority: 0
+matrix_fluffygate_container_labels_traefik_entrypoints: web-secure
+matrix_fluffygate_container_labels_traefik_tls: "{{ matrix_fluffygate_container_labels_traefik_entrypoints != 'web' }}"
+matrix_fluffygate_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_fluffygate_container_labels_traefik_additional_response_headers_custom`
+matrix_fluffygate_container_labels_traefik_additional_response_headers: "{{ matrix_fluffygate_container_labels_traefik_additional_response_headers_auto | combine(matrix_fluffygate_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_fluffygate_container_labels_traefik_additional_response_headers_auto: {}
+matrix_fluffygate_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_fluffygate_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_fluffygate_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_fluffygate_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_fluffygate_container_extra_arguments: []
+
+matrix_fluffygate_metrics_prometheus_enabled: false
+
+# Default Fluffygate configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_fluffygate_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_fluffygate_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_fluffygate_configuration_extension_yaml: |
+  # Your custom YAML configuration for Fluffygate goes here.
+  # This configuration extends the default starting configuration (`matrix_fluffygate_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_fluffygate_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  # metrics:
+  #   opentracing:
+  #     enabled: true
+
+matrix_fluffygate_configuration_extension: "{{ matrix_fluffygate_configuration_extension_yaml | from_yaml if matrix_fluffygate_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final fluffygate configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_fluffygate_configuration_yaml`.
+matrix_fluffygate_configuration: "{{ matrix_fluffygate_configuration_yaml | from_yaml | combine(matrix_fluffygate_configuration_extension, recursive=True) }}"

roles/custom/matrix-fluffygate/tasks/install.yml

@@ -0,0 +1,62 @@
+---
+
+- name: Ensure Fluffygate paths exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_fluffygate_base_path }}"
+    - "{{ matrix_fluffygate_config_path }}"
+    - "{{ matrix_fluffygate_data_path }}"
+
+- name: Ensure Fluffygate config installed
+  ansible.builtin.copy:
+    content: "{{ matrix_fluffygate_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_fluffygate_config_path }}/config.yaml"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Firebase key file is created when enabled
+  ansible.builtin.copy:
+    content: "{{ matrix_fluffygate_firebase_key }}"
+    dest: "{{ matrix_fluffygate_data_path }}/firebase-key.json"
+    mode: 0600
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: matrix_fluffygate_firebase_key != ''
+
+- name: Ensure Fluffygate labels installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_fluffygate_base_path }}/labels"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Fluffygate image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_fluffygate_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_fluffygate_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_fluffygate_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure Fluffygate container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_fluffygate_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure matrix-fluffygate.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-fluffygate.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-fluffygate.service"
+    mode: 0644

roles/custom/matrix-fluffygate/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-fluffygate
+    - install-all
+    - install-fluffygate
+  block:
+    - when: matrix_fluffygate_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_fluffygate_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-fluffygate
+  block:
+    - when: not matrix_fluffygate_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-fluffygate/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of matrix-fluffygate service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-fluffygate.service"
+  register: matrix_fluffygate_service_stat
+
+- when: matrix_fluffygate_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-fluffygate is stopped
+      ansible.builtin.service:
+        name: matrix-fluffygate
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure matrix-fluffygate.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-fluffygate.service"
+        state: absent
+
+    - name: Ensure Fluffygate base directory doesn't exist
+      ansible.builtin.file:
+        path: "{{ matrix_fluffygate_base_path }}"
+        state: absent

roles/custom/matrix-fluffygate/tasks/validate_config.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Fail if required Fluffygate settings not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - matrix_fluffygate_hostname
+    - matrix_fluffygate_path_prefix
+    - matrix_fluffygate_container_network
+
+- when: matrix_fluffygate_container_labels_traefik_enabled | bool
+  block:
+    - name: Fail if required Fluffygate Traefik settings not defined
+      ansible.builtin.fail:
+        msg: >-
+          You need to define a required configuration setting (`{{ item }}`).
+      when: "vars[item] == ''"
+      with_items:
+        - matrix_fluffygate_container_labels_traefik_hostname
+        - matrix_fluffygate_container_labels_traefik_path_prefix
+
+    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
+    # Knowing that `matrix_fluffygate_container_labels_traefik_path_prefix` does not end with a slash
+    # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
+    - name: Fail if matrix_fluffygate_container_labels_traefik_path_prefix ends with a slash
+      ansible.builtin.fail:
+        msg: >-
+          matrix_fluffygate_container_labels_traefik_path_prefix (`{{ matrix_fluffygate_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/fluffygate`).
+      when: "matrix_fluffygate_container_labels_traefik_path_prefix != '/' and matrix_fluffygate_container_labels_traefik_path_prefix[-1] == '/'"
+
+- name: Fail if required Fluffygate settings not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - matrix_fluffygate_app_name
+    - matrix_fluffygate_app_website

roles/custom/matrix-fluffygate/templates/config.yaml.j2

@@ -0,0 +1,26 @@
+port: 8080
+bindAddress: "0.0.0.0"
+
+# Information about the corresponding app
+appName: "{{ matrix_fluffygate_app_name }}"
+appWebsite: "{{ matrix_fluffygate_app_website }}"
+
+# (Optional) Display logs for debugging
+debugLogs: {{ matrix_fluffygate_debug_logs | to_json }}
+
+# The default notification title and body. {count} will be replaced by the unread
+# count of the push notification. Won't be set by default for clearing notifications.
+notificationTitle: "{{ matrix_fluffygate_notification_title }}"
+notificationBody: "{{ matrix_fluffygate_notification_body }}"
+
+# Add json keys to send to fcm for android and apns configurations
+androidNotificationOptions: {{ matrix_fluffygate_android_notification_options | to_json }}
+apnsNotificationOptions: {{ matrix_fluffygate_apns_notification_options | to_json }}
+
+# You firebase project ID and the path to the key file for your service account.
+{% if matrix_fluffygate_firebase_project %}
+projectId: "{{ matrix_fluffygate_firebase_project }}"
+{% endif %}
+{% if matrix_fluffygate_firebase_key %}
+fcmKeyFilePath: "/data/firebase-key.json"
+{% endif %}

roles/custom/matrix-fluffygate/templates/labels.j2

@@ -0,0 +1,46 @@
+{% if matrix_fluffygate_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_fluffygate_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_fluffygate_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-fluffygate.loadbalancer.server.port=8080
+
+{% set middlewares = [] %}
+
+{% if matrix_fluffygate_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-fluffygate-slashless-redirect.redirectregex.regex=({{ matrix_fluffygate_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-fluffygate-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-fluffygate-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_fluffygate_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-fluffygate-strip-prefix.stripprefix.prefixes={{ matrix_fluffygate_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-fluffygate-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_fluffygate_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_fluffygate_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-fluffygate-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-fluffygate-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-fluffygate.rule={{ matrix_fluffygate_container_labels_traefik_rule }}
+{% if matrix_fluffygate_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-fluffygate.priority={{ matrix_fluffygate_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-fluffygate.service=matrix-fluffygate
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-fluffygate.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-fluffygate.entrypoints={{ matrix_fluffygate_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-fluffygate.tls={{ matrix_fluffygate_container_labels_traefik_tls | to_json }}
+{% if matrix_fluffygate_container_labels_traefik_tls %}
+traefik.http.routers.matrix-fluffygate.tls.certResolver={{ matrix_fluffygate_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_fluffygate_container_labels_additional_labels }}

roles/custom/matrix-fluffygate/templates/systemd/matrix-fluffygate.service.j2

@@ -0,0 +1,51 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Fluffygate
+{% for service in matrix_fluffygate_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_fluffygate_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-fluffygate 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-fluffygate 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-fluffygate \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_fluffygate_container_network }} \
+			{% if matrix_fluffygate_container_http_host_bind_port %}
+			-p {{ matrix_fluffygate_container_http_host_bind_port }}:6000 \
+			{% endif %}
+			--label-file={{ matrix_fluffygate_base_path }}/labels \
+			--mount type=bind,src={{ matrix_fluffygate_config_path }},dst=/etc/fluffygate \
+			--mount type=bind,src={{ matrix_fluffygate_data_path }},dst=/data \
+			{% for arg in matrix_fluffygate_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_fluffygate_docker_image }}
+
+{% for network in matrix_fluffygate_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-fluffygate
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-fluffygate
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-fluffygate 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-fluffygate 2>/dev/null || true'
+
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-fluffygate
+
+[Install]
+WantedBy=multi-user.target

setup.yml

@@ -126,6 +126,7 @@
     - custom/matrix-sliding-sync
     - custom/matrix-email2matrix
     - custom/matrix-sygnal
+    - custom/matrix-fluffygate
     - galaxy/ntfy
     - custom/matrix-static-files
     - custom/matrix-coturn