Merge 0b9389fd6492d0c26c5ed16ba17d51d36c378016 into ca8c1cf2b5416924c4379d43d5c943928377747d

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

CHANGELOG.md

@@ -1,3 +1,45 @@
+# 2024-11-23
+
+## (Backward Compatibility Break) The playbook now defaults to Valkey, instead of KeyDB
+
+**TLDR**: if the playbook installed KeyDB (or Redis) as a dependency for you before, it will now replace it with [Valkey](https://valkey.io/) (a drop-in alternative). We [previously switched from Redis to KeyDB](#backward-compatibility-break-the-playbook-now-defaults-to-keydb-instead-of-redis), but Valkey is a better alternative, so we're switching again.
+
+The playbook used to install Redis or KeyDB if services have a need for a Redis-compatible implementation ([enabling worker support for Synapse](docs/configuring-playbook-synapse.md#load-balancing-with-workers), [enabling Hookshot encryption](docs/configuring-playbook-bridge-hookshot.md#end-to-bridge-encryption), etc.).
+
+Earlier this year, we switched from Redis to KeyDB - see [(Backward Compatibility Break) The playbook now defaults to KeyDB, instead of Redis](#backward-compatibility-break-the-playbook-now-defaults-to-keydb-instead-of-redis).
+
+Because Valkey seems to be a better successor to Redis (than KeyDB) and likely doesn't suffer from [issues like this one](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3544), we now replace KeyDB with Valkey.
+
+Valkey (like KeyDB and Redis in the past) is an implicitly enabled dependency - you don't need custom configuration in `vars.yml` to enable it.
+
+Next time your run the playbook (via the `setup-all` tag), **KeyDB will be automatically uninstalled and replaced with Valkey**. Some Synapse downtime may occur while the switch happens.
+
+Users on `arm32` should be aware that there's **neither a prebuilt `arm32` container image for Valkey**, nor the Valkey role supports self-building yet. Users on this architecture likely don't run Synapse with workers, etc., so they're likely in no need of Valkey (or Redis/KeyDB). If Redis is necessary in an `arm32` deployment, disabling Valkey and making the playbook fall back to Redis is possible (see below).
+
+**The playbook still supports Redis** and you can keep using Redis (for now) if you'd like, by adding this additional configuration to your `vars.yml` file:
+
+```yml
+# Explicitly disable both Valkey and KeyDB.
+#
+# Redis will be auto-enabled if necessary,
+# because there's no other Redis-compatible implementation being enabled.
+valkey_enabled: false
+keydb_enabled: false
+```
+
+**The playbook still supports KeyDB** and you can keep using KeyDB (for now) if you'd like, by adding this additional configuration to your `vars.yml` file:
+
+```yml
+# Explicitly disable Valkey  enable KeyDB.
+#
+# Redis will not be auto-enabled beandcause a Redis-compatible implementation (KeyDB) is enabled.
+valkey_enabled: false
+keydb_enabled: true
+```
+
+At some point in time in the future, we'll remove both KeyDB and Redis from the playbook, so we recommend that you migrate to Valkey earlier anyway.
+
+
 # 2024-11-14
 
 ## HTTP-compression support for Traefik-based setups

docs/configuring-playbook-element-call.md

@@ -25,16 +25,13 @@ Ensure that the following DNS names have a public IP/FQDN:
 
 ## Adjusting the playbook configuration
 
-NOTE: Element call is dependent on two other services for it to function as intended. In orter to utilise Element Call you need to also enable the [JWT Service](configuring-playbook-jwt-service.md) and [Livekit Server](configuring-playbook-livekit-server.md).
+NOTE: Enabling Element Call will automatically enable the [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) and Livekit Server services.
 
 
 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
 
 ```yaml
 matrix_element_call_enabled: true
-
-# Set a secure key for LiveKit authentication
-livekit_server_config_keys_devkey: 'your-secure-livekit-key'
 ```
 
 ## Installing
@@ -43,7 +40,7 @@ After configuring the playbook and potentially [adjusting your DNS records](#adj
 
 ## Usage
 
-Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`).
+Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md). When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your LiveKit JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
 
 Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`).
 
@@ -53,12 +50,12 @@ To ensure the services function correctly, the following firewall rules and port
 
 LiveKit:
 
-	•	Forward UDP ports 50100:50200 to the Docker instance running LiveKit.
-	•	Forward TCP port 7881 to the Docker instance running LiveKit.
+- Forward UDP ports 50100:50120 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
 
 Element Call:
 
-	•	Forward TCP port 443 to the server running Traefik (for Element Call).
+- Forward TCP port 443 to the server running Traefik (for Element Call).
 
 Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
 

docs/configuring-playbook-jwt-service.md

@@ -1,6 +1,6 @@
 # Setting up JWT Service (optional)
 
-The playbook can install and configure [JWT Service](https://github.com/element-hq/lk-jwt-service) for you.
+The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service) for you.
 
 LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU.
 
@@ -8,28 +8,23 @@ See the project's [documentation](https://github.com/element-hq/lk-jwt-service/)
 
 ## Decide on a domain and path
 
-By default, JWT Service is configured to be served on the Matrix domain (`sfu-jwt.DOMAIN`, controlled by the `matrix_jwt-service_hostname` variable).
+By default, JWT Service is configured to be served:
+
+- on the Matrix domain (`matrix.example.com`), configurable via `matrix_livekit_jwt_service_hostname`
+- under a `/lk-jwt-service` path prefix, configurable via `matrix_livekit_jwt_service_path_prefix`
 
 This makes it easy to set it up, **without** having to adjust your DNS records manually.
 
-If you'd like to run JWT Service on another hostname or path, use the `matrix_jwt-service_hostname` variable.
-
 ## Adjusting DNS records
 
 If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
 
-Ensure that the following DNS names have a public IP/FQDN:
-- `sfu-jwt.DOMAIN`
-
 ## Adjusting the playbook configuration
 
 Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
 ```yaml
-matrix_jwt_service_enabled: true
-
-# Set a secure key for LiveKit authentication
-matrix_element_call_livekit_dev_key: 'your-secure-livekit-key'
+matrix_livekit_jwt_service_enabled: true
 ```
 
 ## Installing
@@ -38,8 +33,8 @@ After configuring the playbook and potentially [adjusting your DNS records](#adj
 
 ## Usage
 
-Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`).
+Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element Web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
 
 ## Additional Information
 
-Refer to the JWT-Service documentation for more details on configuring and using JWT Service.
+Refer to the LiveKit JWT-Service documentation for more details on configuring and using JWT Service.

docs/configuring-playbook-livekit-server.md

@@ -45,8 +45,8 @@ To ensure the services function correctly, the following firewall rules and port
 
 LiveKit:
 
-	•	Forward UDP ports 50100:50200 to the Docker instance running LiveKit.
-	•	Forward TCP port 7881 to the Docker instance running LiveKit.
+- Forward UDP ports 50100:50200 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
 
 Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
 

docs/configuring-playbook.md

@@ -214,7 +214,7 @@ Various services that don't fit any other categories.
 
 - [Setting up the Element Call server](configuring-playbook-element-call.md) (optional)
 
-- [Setting up the JWT Service](configuring-playbook-jwt-service.md) (optional)
+- [Setting up the LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional)
 
 - [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional)
 

docs/faq.md

@@ -80,6 +80,16 @@ Alternatively, you can download Ansible and the playbook itself directly on the
 
 To learn more, see our [dedicated Ansible documentation page](ansible.md).
 
+### What is `just`?
+
+[`just`](https://github.com/casey/just) is a modern command-runner alternative to [make](https://www.gnu.org/software/make/). It can be used to invoke commands with less typing.
+
+The `just` utility executes shortcut commands (called "recipes"), which invoke `ansible-playbook`, `ansible-galaxy` or [`agru`](https://github.com/etkecc/agru) (depending on what is available in your system). The targets of the recipes are defined in [`justfile`](../justfile).
+
+For details about `just` commands, take a look at: [Running `just` commands](just.md).
+
+The playbook also contains a `Makefile` for the `make` tool, but most of the just recipes are not available as targets in the `Makefile`.
+
 ### Why use this playbook and not install Synapse and other things manually?
 
 There are various guides telling you how easy it is to install [Synapse](https://github.com/element-hq/synapse).

docs/installing.md

@@ -15,6 +15,8 @@ To update your playbook directory and all upstream Ansible roles (defined in the
 
 If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
 
+For details about `just` commands, take a look at: [Running `just` commands](just.md).
+
 ## Install Matrix server and services
 
 The Ansible playbook's tasks are tagged, so that certain parts of the Ansible playbook can be run without running all other tasks.
@@ -51,7 +53,7 @@ To do the installation **without** starting services, run `ansible-playbook` wit
 ansible-playbook -i inventory/hosts setup.yml --tags=install-all
 ```
 
-**Note**: do not run the just "recipe" `just install-all` instead, because it automatically starts services at the end of execution.
+**Note**: do not run the just "recipe" `just install-all` instead, because it automatically starts services at the end of execution. See: [Difference between playbook tags and shortcuts](just.md#difference-between-playbook-tags-and-shortcuts)
 
 When this command completes, services won't be running yet.
 

docs/just.md

@@ -0,0 +1,38 @@
+# Running `just` commands
+
+We have previously used [make](https://www.gnu.org/software/make/) for easily running some playbook commands (e.g. `make roles` which triggers [`ansible-galaxy`](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html)). Our [`Makefile`](../Makefile) is still around, and you can still run these commands.
+
+In addition, we have added support for running commands via [`just`](https://github.com/casey/just) - a more modern command-runner alternative to `make`. It can be used to invoke `ansible-playbook` commands with less typing.
+
+The `just` utility executes shortcut commands (called as "recipes"), which invoke `ansible-playbook`, `ansible-galaxy` or [`agru`](https://github.com/etkecc/agru) (depending on what is available in your system). The targets of the recipes are defined in [`justfile`](../justfile). Most of the just recipes have no corresponding `Makefile` targets.
+
+For some recipes such as `just update`, our `justfile` recommends installing [`agru`](https://github.com/etkecc/agru) (a faster alternative to `ansible-galaxy`) to speed up the process.
+
+Here are some examples of shortcuts:
+
+| Shortcut                                      | Result                                                                                                         |
+|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+| `just roles`                                  | Install the necessary Ansible roles pinned in [`requirements.yml`](../requirements.yml)                        |
+| `just update`                                 | Run `git pull` (to update the playbook) and install the Ansible roles                                          |
+| `just install-all`                            | Run `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start`       |
+| `just setup-all`                              | Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start`         |
+| `just install-all --ask-vault-pass`           | Run commands with additional arguments (`--ask-vault-pass` will be appended to the above installation command) |
+| `just run-tags install-mautrix-slack,start`   | Run specific playbook tags (here `install-mautrix-slack` and `start`)                                          |
+| `just install-service mautrix-slack`          | Run `just run-tags install-mautrix-slack,start` with even less typing                                          |
+| `just start-all`                              | (Re-)starts all services                                                                                       |
+| `just stop-group postgres`                    | Stop only the Postgres service                                                                                 |
+| `just register-user john secret-password yes` | Registers a `john` user with the `secret-password` password and admin access (admin = `yes`)                   |
+
+While [our documentation on prerequisites](prerequisites.md) lists `just` as one of the requirements for installation, using `just` is optional. If you find it difficult to install it, do not find it useful, or want to prefer raw `ansible-playbook` commands for some reason, feel free to run all commands manually. For example, you can run `ansible-galaxy` directly to install the Ansible roles: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`.
+
+## Difference between playbook tags and shortcuts
+
+It is worth noting that `just` "recipes" are different from [playbook tags](playbook-tags.md). The recipes are shortcuts of commands defined in `justfile` and can be executed by the `just` program only, while the playbook tags are available for the raw `ansible-playbook` commands as well. Please be careful not to confuse them.
+
+For example, these two commands are different:
+- `just install-all`
+- `ansible-playbook -i inventory/hosts setup.yml --tags=install-all`
+
+The just recipe runs `ensure-matrix-users-created` and `start` tags after `install-all`, while the latter runs only `install-all` tag. The correct shortcut of the latter is `just run-tags install-all`.
+
+Such kind of difference sometimes matters. For example, when you install a Matrix server into which you will import old data (see [here](installing.md#installing-a-server-into-which-youll-import-old-data)), you are not supposed to run `just install-all` or `just setup-all`, because these commands start services immediately after installing components which may prevent your from importing old data.

docs/maintenance-upgrading-services.md

@@ -23,10 +23,10 @@ If it looks good to you, go to the `matrix-docker-ansible-deploy` directory, the
   - either: `just update`
   - or: a combination of `git pull` and `just roles` (or `make roles` if you have `make` program on your computer instead of `just`)
 
-  `just update` and `just roles` are shortcuts (their targets are defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately run [agru](https://github.com/etkecc/agru) or [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) (depending on what is available in your system) to download Ansible roles, after upgrading the playbook (in case of `just update`).
-
   If you don't have either `just` tool or `make` program, you can run the `ansible-galaxy` tool directly: `rm -rf roles/galaxy; ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force`
 
+  For details about `just` commands, take a look at: [Running `just` commands](just.md).
+
 - re-run the [playbook setup](installing.md#maintaining-your-setup-in-the-future) and restart all services:
 
   ```sh
@@ -35,6 +35,6 @@ If it looks good to you, go to the `matrix-docker-ansible-deploy` directory, the
 
 Note that if you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with `--tags=setup-all` instead of `--tags=install-all`. See [this page on the playbook tags](playbook-tags.md) for more information.
 
-A way to invoke these `ansible-playbook` commands with less typing is to use [just](https://github.com/casey/just) to run the "recipe": `just install-all` or `just setup-all`. See [our `justfile`](../justfile) for more information. If you don't have `just`, you can also manually run the commands seen in the `justfile`.
+A way to invoke these `ansible-playbook` commands with less typing is to run the `just` "recipe": `just install-all` or `just setup-all`.
 
 **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql).

docs/playbook-tags.md

@@ -20,4 +20,6 @@ Here are some playbook tags that you should be familiar with:
 
 - `ensure-matrix-users-created` - a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created
 
-`setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc.
+**Notes**:
+- `setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc.
+- Please be careful not to confuse the playbook tags with the `just` shortcut commands ("recipes"). For details about `just` commands, see: [Running `just` commands](just.md)

docs/prerequisites.md

@@ -14,7 +14,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
 
 - [`git`](https://git-scm.com/) as the recommended way to download the playbook. `git` may also be required on the server if you will be [self-building](self-building.md) components.
 
-- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually
+- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually. Take at look at this documentation for more information: [Running `just` commands](just.md).
 
 - Strong password (random strings) generator. The playbook often requires you to create a strong password and use it for settings on `vars.yml`, components, etc. As any tools should be fine, this playbook has adopted [`pwgen`](https://linux.die.net/man/1/pwgen) (running `pwgen -s 64 1`). [Password Tech](https://pwgen-win.sourceforge.io/), formerly known as "PWGen for Windows", is available as free and open source password generator for Windows. Generally, using a random generator available on the internet is not recommended.
 

group_vars/matrix_servers

@@ -436,11 +436,13 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (keydb_identifier + '.service'), 'priority': 750, 'groups': ['matrix', 'keydb']}] if keydb_enabled else [])
     +
+    ([{'name': (valkey_identifier + '.service'), 'priority': 750, 'groups': ['matrix', 'valkey']}] if valkey_enabled else [])
+    +
     ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else [])
     +
     ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else [])
     +
-    ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else [])
+    ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else [])
     +
     ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else [])
     +
@@ -2209,12 +2211,14 @@ matrix_hookshot_systemd_wanted_services_list: |
     ([(redis_identifier + '.service')] if redis_enabled and matrix_hookshot_cache_redis_host == redis_identifier else [])
     +
     ([(keydb_identifier + '.service')] if keydb_enabled and matrix_hookshot_cache_redis_host == keydb_identifier else [])
+    +
+    ([(valkey_identifier + '.service')] if valkey_enabled and matrix_hookshot_cache_redis_host == valkey_identifier else [])
   }}
 
 # Hookshot's experimental encryption feature (and possibly others) may benefit from Redis, if available.
 # We only connect to Redis if encryption is enabled (not for everyone who has Redis enabled),
 # because connectivity is still potentially troublesome and is to be investigated.
-matrix_hookshot_cache_redis_host: "{{ redis_identifier if redis_enabled and matrix_hookshot_experimental_encryption_enabled else (keydb_identifier if keydb_enabled and matrix_hookshot_experimental_encryption_enabled else '') }}"
+matrix_hookshot_cache_redis_host: "{{ valkey_identifier if valkey_enabled else (redis_identifier if redis_enabled else (keydb_identifier if keydb_enabled else '')) }}"
 
 matrix_hookshot_container_network: "{{ matrix_addons_container_network }}"
 
@@ -2227,6 +2231,8 @@ matrix_hookshot_container_additional_networks_auto: |
       +
       ([keydb_container_network] if keydb_enabled and matrix_hookshot_cache_redis_host == keydb_identifier else [])
       +
+      ([valkey_container_network] if valkey_enabled and matrix_hookshot_cache_redis_host == valkey_identifier else [])
+      +
       ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_hookshot_container_labels_traefik_enabled else [])
     ) | unique
   }}
@@ -4399,11 +4405,11 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
 
 ######################################################################
 #
-# etke/redis
+# redis
 #
 ######################################################################
 
-redis_enabled: "{{ not keydb_enabled and (matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled)) }}"
+redis_enabled: "{{ not (keydb_enabled or valkey_enabled) and (matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled)) }}"
 
 redis_identifier: matrix-redis
 
@@ -4414,7 +4420,7 @@ redis_base_path: "{{ matrix_base_data_path }}/redis"
 
 ######################################################################
 #
-# /etke/redis
+# /redis
 #
 ######################################################################
 
@@ -4424,7 +4430,7 @@ redis_base_path: "{{ matrix_base_data_path }}/redis"
 #
 ######################################################################
 
-keydb_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) or matrix_element_call_enabled }}"
+keydb_enabled: false
 
 keydb_identifier: matrix-keydb
 
@@ -4448,6 +4454,31 @@ keydb_arch: |-
 #
 ######################################################################
 
+
+######################################################################
+#
+# valkey
+#
+######################################################################
+
+valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) or matrix_element_call_enabled }}"
+
+valkey_identifier: matrix-valkey
+
+valkey_uid: "{{ matrix_user_uid }}"
+valkey_gid: "{{ matrix_user_gid }}"
+
+valkey_base_path: "{{ matrix_base_data_path }}/valkey"
+
+valkey_arch: "{{ matrix_architecture }}"
+
+######################################################################
+#
+# valkey
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-client-element
@@ -4678,6 +4709,8 @@ matrix_synapse_container_additional_networks_auto: |
       +
       ([keydb_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == keydb_identifier else [])
       +
+      ([valkey_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+      +
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
       +
       ([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
@@ -4765,6 +4798,8 @@ matrix_synapse_systemd_required_services_list_auto: |
     +
     ([keydb_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == keydb_identifier else [])
     +
+    ([valkey_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+    +
     (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
     +
     (['matrix-authentication-service.service'] if (matrix_authentication_service_enabled and matrix_synapse_experimental_features_msc3861_enabled) else [])
@@ -4778,9 +4813,9 @@ matrix_synapse_systemd_wanted_services_list_auto: |
   }}
 
 # Synapse workers (used for parallel load-scaling) need Redis for IPC.
-matrix_synapse_redis_enabled: "{{ redis_enabled or keydb_enabled }}"
-matrix_synapse_redis_host: "{{ redis_identifier if redis_enabled else (keydb_identifier if keydb_enabled else '') }}"
-matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled else (keydb_connection_password if keydb_enabled else '') }}"
+matrix_synapse_redis_enabled: "{{ redis_enabled or keydb_enabled or valkey_enabled }}"
+matrix_synapse_redis_host: "{{ valkey_identifier if valkey_enabled else (redis_identifier if redis_enabled else (keydb_identifier if keydb_enabled else '')) }}"
+matrix_synapse_redis_password: "{{ valkey_connection_password if valkey_enabled else (redis_connection_password if redis_enabled else (keydb_connection_password if keydb_enabled else '')) }}"
 
 matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
 matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}"
@@ -5924,7 +5959,7 @@ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enab
 matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |-
   {{
     (
-      [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}] if matrix_jwt_service_enabled else []
+      [{'type': 'livekit', 'livekit_service_url': matrix_livekit_jwt_service_public_url}] if matrix_livekit_jwt_service_enabled else []
     )
   }}
 
@@ -6103,45 +6138,61 @@ livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reve
 livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
+livekit_server_config_keys_auto: |-
+  {{
+    {}
+    | combine(
+      {matrix_livekit_jwt_service_environment_variable_livekit_key: matrix_livekit_jwt_service_environment_variable_livekit_secret}
+      if matrix_livekit_jwt_service_enabled else {}
+    )
+  }}
+
 ########################################################################
 #                                                                      #
 # /livekit-server                                                      #
 #                                                                      #
 ########################################################################
 
-########################################################################
-#                                                                      #
-# matrix-jwt-service                                                   #
-#                                                                      #
-########################################################################
-
-matrix_jwt_service_enabled: "{{ matrix_element_call_enabled }}"
-
-matrix_jwt_service_version: "latest-ci"  # Default version; can be overridden in host_vars
-matrix_jwt_service_scheme: "https"  # Scheme for Element Call (e.g., https)
-matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}"  # Default hostname; should be overridden in host_vars if different
-matrix_jwt_service_path_prefix: "/"  # Path prefix for Element Call
-matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service"  # Base path for storing Element Call-related files
-matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}"
-matrix_jwt_service_container_image_name_prefix: ghcr.io/
-matrix_jwt_service_container_image_registry_prefix: ghcr.io/
-matrix_jwt_service_container_image_force_pull: true
-
-# Docker network configuration for JWT Service
-matrix_jwt_service_container_network: "{{ matrix_addons_container_network }}"
-matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
-
-# Traefik Configuration for JWT Service
-matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
-matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-matrix_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
-
-# JWT Service Configuration
-matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}"  # Default JWT service URL; adjust as needed
 
 ########################################################################
 #                                                                      #
-# /matrix-jwt-service                                                  #
+# matrix-livekit-jwt-service                                           #
+#                                                                      #
+########################################################################
+
+matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}"
+
+matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+
+matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
+
+matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_livekit_jwt_service_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [])
+      +
+      ([livekit_server_container_network] if livekit_server_enabled and (matrix_livekit_jwt_service_environment_variable_livekit_url == livekit_server_websocket_container_url and livekit_server_container_network != matrix_livekit_jwt_service_container_network) else [])
+    ) | unique
+  }}
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_container_url }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /matrix-livekit-jwt-service                                          #
 #                                                                      #
 ########################################################################

requirements.yml

@@ -75,3 +75,6 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.8.3-5
   name: traefik_certs_dumper
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
+  version: v8.0.1-0
+  name: valkey

roles/custom/matrix-element-call/templates/config.json.j2

@@ -6,6 +6,6 @@
     }
   },
   "livekit": {
-    "livekit_service_url": "{{ matrix_jwt_service_url }}"
+    "livekit_service_url": "{{ matrix_livekit_jwt_service_public_url }}"
   }
-}
+}

roles/custom/matrix-jwt-service/defaults/main.yml

@@ -1,117 +0,0 @@
----
-# Enable or disable matrix-element-call deployment
-matrix_jwt_service_enabled: false
-
-# Base path configuration
-matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service"
-
-# Docker network configuration
-matrix_jwt_service_container_network: ''
-matrix_jwt_service_container_http_host_bind_port: '8881'
-matrix_jwt_service_container_additional_networks: []  # No additional networks by default
-
-# Docker images
-matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci"
-
-# Ports
-matrix_jwt_service_port: "8881"
-
-# jwt configuration
-matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}"
-matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}"
-
-# Traefik Configuration for JWT Service
-matrix_jwt_service_container_labels_traefik_enabled: true
-matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_jwt_service_container_network }}"
-matrix_jwt_service_container_labels_traefik_hostname: "{{ matrix_jwt_service_hostname }}"
-# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
-matrix_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_jwt_service_path_prefix }}"
-matrix_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_jwt_service_container_labels_traefik_hostname }}`){% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}"
-matrix_jwt_service_container_labels_traefik_priority: 0
-matrix_jwt_service_container_labels_traefik_entrypoints: web-secure
-matrix_jwt_service_container_labels_traefik_tls: "{{ matrix_jwt_service_container_labels_traefik_entrypoints != 'web' }}"
-matrix_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
-
-# Controls which additional headers to attach to all HTTP responses.
-# To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom`
-matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
-matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: |
-  {{
-    {}
-    | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {})
-    | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {})
-    | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {})
-    | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {})
-    | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {})
-    | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {})
-  }}
-matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
-
-# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
-# See `../templates/labels.j2` for details.
-#
-# Example:
-# matrix_client_element_container_labels_additional_labels: |
-#   my.label=1
-#   another.label="here"
-matrix_jwt_service_container_labels_additional_labels: ''
-
-# A list of extra arguments to pass to the container
-matrix_jwt_service_container_extra_arguments: []
-
-# Additional environment variables for the container
-matrix_jwt_service_environment_variables_additional: {}
-
-# List of systemd services that matrix-element-call.service depends on
-matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
-
-# Specifies the value of the `X-XSS-Protection` header
-# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
-#
-# Learn more about it is here:
-# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
-# - https://portswigger.net/web-security/cross-site-scripting/reflected
-matrix_jwt_service_http_header_xss_protection: ''
-
-# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-matrix_jwt_service_http_header_frame_options: ''
-
-# Specifies the value of the `X-Content-Type-Options` header.
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-matrix_jwt_service_http_header_content_type_options: ''
-
-# Specifies the value of the `Content-Security-Policy` header.
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-matrix_jwt_service_http_header_content_security_policy: ''
-
-# Specifies the value of the `Permission-Policy` header.
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
-matrix_jwt_service_http_header_content_permission_policy: ''
-
-# Specifies the value of the `Strict-Transport-Security` header.
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-matrix_jwt_service_http_header_strict_transport_security: ''
-
-# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
-#
-# Learn more about what it is here:
-# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
-# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
-# - https://amifloced.org/
-#
-# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
-# See: `matrix_jwt_service_content_permission_policy`
-matrix_jwt_service_floc_optout_enabled: false
-
-# Controls if HSTS preloading is enabled
-#
-# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
-# indicates a willingness to be "preloaded" into browsers:
-# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
-# For more information visit:
-# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
-# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-# - https://hstspreload.org/#opt-in
-# See: `matrix_jwt_service_http_header_strict_transport_security`
-matrix_jwt_service_hsts_preload_enabled: true

roles/custom/matrix-jwt-service/tasks/install.yml

@@ -1,46 +0,0 @@
----
-# roles/custom/matrix-jwt-service/tasks/install.yml
-
-# Ensure Required Directories Exist
-- name: Ensure matrix-jwt-service paths exist
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - path: "{{ matrix_jwt_service_base_path }}"
-
-- name: Ensure matrix-jwt-service environment file is in place
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/env.j2"
-    dest: "{{ matrix_jwt_service_base_path }}/env"
-    mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-
-- name: Ensure JWT Service labels file is in place
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/labels.j2"
-    dest: "{{ matrix_jwt_service_base_path }}/labels"
-    mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-
-# Ensure Docker Images are Pulled
-- name: Ensure jwt-service Docker image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_jwt_service_image }}"
-    source: pull
-  register: jwt_image_result
-  retries: 3
-  delay: 10
-  until: jwt_image_result is not failed
-
-# Systemd Services for JWT Service
-- name: Ensure jwt-service systemd service is installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service"
-    mode: 0644

roles/custom/matrix-jwt-service/tasks/uninstall.yml

@@ -1,22 +0,0 @@
----
-# Uninstall tasks for matrix-jwt-service
-
-
-- name: Stop and remove jwt-service container
-  community.docker.docker_container:
-    name: "matrix-jwt-service"
-    state: absent
-
-- name: Remove jwt-service systemd service
-  ansible.builtin.file:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service"
-    state: absent
-
-- name: Remove matrix-jwt-service configuration files
-  ansible.builtin.file:
-    path: "{{ matrix_jwt_service_base_path }}"
-    state: absent
-
-- name: Reload systemd daemon
-  ansible.builtin.systemd:
-    daemon_reload: true

roles/custom/matrix-jwt-service/tasks/validate_config.yml

@@ -1,12 +0,0 @@
----
-# Validate configuration for matrix-jwt-service
-
-- name: Fail if required matrix-jwt-service settings are not defined
-  ansible.builtin.fail:
-    msg: >
-      You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] == ''"
-  with_items:
-    - {'name': 'matrix_jwt_service_base_path', when: true}
-    - {'name': 'matrix_jwt_service_container_network', when: true}
-    - {'name': 'matrix_jwt_service_image', when: true}

roles/custom/matrix-jwt-service/templates/env.j2

@@ -1,4 +0,0 @@
-# Environment variables for JWT Service
-LIVEKIT_KEY=devkey
-LIVEKIT_URL=wss://{{ livekit_server_hostname }}:443
-LIVEKIT_SECRET={{ livekit_server_dev_key }}

roles/custom/matrix-jwt-service/templates/labels.j2

@@ -1,46 +0,0 @@
-{% if matrix_element_call_container_labels_traefik_enabled %}
-traefik.enable=true
-
-# Network configuration for Traefik
-{% if matrix_jwt_service_container_labels_traefik_docker_network %}
-traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }}
-{% endif %}
-
-traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080
-
-{% set middlewares = [] %}
-
-# Path prefix handling for JWT
-{% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %}
-traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_jwt_service_container_labels_traefik_path_prefix | quote }})$
-traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.replacement=${1}/
-{% set middlewares = middlewares + ['matrix-jwt-service-slashless-redirect'] %}
-
-traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_jwt_service_container_labels_traefik_path_prefix }}
-{% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %}
-{% endif %}
-
-{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
-{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %}
-traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
-{% endfor %}
-{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %}
-{% endif %}
-
-traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }}
-{% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-jwt-service.priority={{ matrix_jwt_service_container_labels_traefik_priority }}
-{% endif %}
-traefik.http.routers.matrix-jwt-service.service=matrix-jwt-service
-{% if middlewares | length > 0 %}
-traefik.http.routers.matrix-jwt-service.middlewares={{ middlewares | join(',') }}
-{% endif %}
-traefik.http.routers.matrix-jwt-service.entrypoints={{ matrix_jwt_service_container_labels_traefik_entrypoints }}
-traefik.http.routers.matrix-jwt-service.tls={{ matrix_jwt_service_container_labels_traefik_tls | to_json }}
-{% if matrix_jwt_service_container_labels_traefik_tls %}
-traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_container_labels_traefik_tls_certResolver }}
-{% endif %}
-
-{% endif %}
-
-{{ matrix_jwt_service_container_labels_additional_labels }}

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -0,0 +1,81 @@
+---
+
+# Project source code URL: https://github.com/element-hq/lk-jwt-service
+
+matrix_livekit_jwt_service_enabled: false
+
+matrix_livekit_jwt_service_scheme: https
+matrix_livekit_jwt_service_hostname: ""
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_base_path: "{{ matrix_base_data_path }}/livekit-jwt-service"
+
+matrix_livekit_jwt_service_container_network: ''
+
+matrix_livekit_jwt_service_container_http_host_bind_port: ''
+
+matrix_livekit_jwt_service_container_additional_networks: "{{ (matrix_livekit_jwt_service_container_additional_networks_auto + matrix_livekit_jwt_service_container_additional_networks_custom) | unique }}"
+matrix_livekit_jwt_service_container_additional_networks_auto: []
+matrix_livekit_jwt_service_container_additional_networks_custom: []
+
+# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
+matrix_livekit_jwt_service_version: latest-ci
+
+matrix_livekit_jwt_service_container_image_self_build: false
+matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
+matrix_livekit_jwt_service_container_repo_version: "{{ 'main' if matrix_livekit_jwt_service_version in ['latest', 'latest-ci'] else livekit_server_version }}"
+matrix_livekit_jwt_service_container_src_files_path: "{{ matrix_livekit_jwt_service_base_path }}/container-src"
+
+matrix_livekit_jwt_service_container_image: "{{ matrix_livekit_jwt_service_container_image_name_prefix }}element-hq/lk-jwt-service:{{ matrix_livekit_jwt_service_version }}"
+matrix_livekit_jwt_service_container_image_name_prefix: "{{ 'localhost/' if matrix_livekit_jwt_service_container_image_self_build else 'ghcr.io/' }}"
+matrix_livekit_jwt_service_container_image_force_pull: "{{ matrix_livekit_jwt_service_container_image.endswith(':latest') }}"
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: true
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_livekit_jwt_service_container_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_hostname: "{{ matrix_livekit_jwt_service_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/lk-jwt-service`).
+matrix_livekit_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_livekit_jwt_service_path_prefix }}"
+matrix_livekit_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_livekit_jwt_service_container_labels_traefik_hostname }}`){% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_livekit_jwt_service_container_labels_traefik_priority: 0
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: web-secure
+matrix_livekit_jwt_service_container_labels_traefik_tls: "{{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints != 'web' }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom`
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto: {}
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_livekit_jwt_service_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_livekit_jwt_service_container_extra_arguments: []
+
+# Controls the LK_JWT_PORT environment variable
+matrix_livekit_jwt_service_environment_variable_lk_jwt_port: 8080
+
+# Controls the LIVEKIT_KEY environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_key: ""
+
+# Controls the LIVEKIT_URL environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_url: ""
+
+# Controls the LIVEKIT_SECRET environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_secret: ""
+
+# Additional environment variables for the container
+matrix_livekit_jwt_service_environment_variables_additional: {}
+
+# List of systemd services that LiveKit JWT Service service depends on
+matrix_livekit_jwt_service_systemd_required_services_list: "{{ matrix_livekit_jwt_service_systemd_required_services_list_default + matrix_livekit_jwt_service_systemd_required_services_list_auto + matrix_livekit_jwt_service_systemd_required_services_list_custom }}"
+matrix_livekit_jwt_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_livekit_jwt_service_systemd_required_services_list_auto: []
+matrix_livekit_jwt_service_systemd_required_services_list_custom: []

roles/custom/matrix-livekit-jwt-service/tasks/install.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Ensure LiveKit JWT Service paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_livekit_jwt_service_base_path }}"
+
+- name: Ensure LiveKit JWT Service support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_livekit_jwt_service_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - env
+    - labels
+
+- name: Ensure LiveKit JWT Service container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_livekit_jwt_service_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_livekit_jwt_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_container_image_force_pull }}"
+  when: "not matrix_livekit_jwt_service_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: "matrix_livekit_jwt_service_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit JWT Service repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_livekit_jwt_service_container_repo }}"
+        version: "{{ matrix_livekit_jwt_service_container_repo_version }}"
+        dest: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_livekit_jwt_service_git_pull_results
+
+    - name: Ensure LiveKit JWT Service container image is built
+      community.docker.docker_image:
+        name: "{{ matrix_livekit_jwt_service_container_image }}"
+        source: build
+        force_source: "{{ matrix_livekit_jwt_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit JWT Service container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_livekit_jwt_service_container_network }}"
+    driver: bridge
+
+- name: Ensure LiveKit JWT Service systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-livekit-jwt-service.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+    mode: 0644

roles/custom/matrix-livekit-jwt-service/tasks/main.yml

@@ -1,21 +1,20 @@
 ---
-# Main task file for matrix-element-call
 
 - tags:
     - setup-all
     - setup-jwt-service
     - install-all
-    - install-wt-service
+    - install-livekit-jwt-service
   block:
-    - when: matrix_jwt_service_enabled | bool
+    - when: matrix_livekit_jwt_service_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 
-    - when: matrix_jwt_service_enabled | bool
+    - when: matrix_livekit_jwt_service_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
 
 - tags:
     - setup-all
-    - setup-jwt-service
+    - setup-livekit-jwt-service
   block:
-    - when: not matrix_jwt_service_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
+    - when: not matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of LiveKit JWT Service systemd service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+  register: matrix_livekit_jwt_service_service_stat
+
+- when: matrix_livekit_jwt_service_service_stat.stat.exists | bool
+  block:
+    - name: Ensure LiveKit JWT Service systemd service is stopped
+      ansible.builtin.service:
+        name: matrix-livekit-jwt-service
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure LiveKit JWT Service systemd service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+        state: absent
+
+    - name: Ensure LiveKit JWT Service paths don't exist
+      ansible.builtin.file:
+        path: "{{ matrix_livekit_jwt_service_base_path }}"
+        state: absent

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Fail if required LiveKit JWT Service settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] | length == 0"
+  with_items:
+    - {'name': 'matrix_livekit_jwt_service_hostname', when: true}
+    - {'name': 'matrix_livekit_jwt_service_container_network', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true}

roles/custom/matrix-livekit-jwt-service/templates/env.j2

@@ -0,0 +1,7 @@
+LK_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port | int | to_json }}
+
+LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }}
+LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }}
+LIVEKIT_SECRET={{ matrix_livekit_jwt_service_environment_variable_livekit_secret }}
+
+{{ matrix_livekit_jwt_service_environment_variables_additional }}

roles/custom/matrix-livekit-jwt-service/templates/labels.j2

@@ -0,0 +1,48 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }}
+
+traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }}
+
+{% set middlewares = [] %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-livekit-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-livekit-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.rule={{ matrix_livekit_jwt_service_container_labels_traefik_rule }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.priority={{ matrix_livekit_jwt_service_container_labels_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.service=matrix-livekit-jwt-service
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.entrypoints={{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.matrix-livekit-jwt-service.tls={{ matrix_livekit_jwt_service_container_labels_traefik_tls | to_json }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_tls %}
+traefik.http.routers.matrix-livekit-jwt-service.tls.certResolver={{ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_livekit_jwt_service_container_labels_additional_labels }}

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -1,40 +1,42 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
-Description=Matrix JWT Service
-After=docker.service
-Requires=docker.service
+Description=Matrix LiveKit JWT Service
+{% for service in matrix_livekit_jwt_service_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
 
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true'
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-jwt-service 2>/dev/null || true'
 
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
     --rm \
-    --name=matrix-jwt-service \
+    --name=matrix-livekit-jwt-service \
     --log-driver=none \
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
     --cap-drop=ALL \
-    --network={{ matrix_jwt_service_container_network }} \
-    {% if matrix_jwt_service_container_http_host_bind_port %}
-    -p {{ matrix_jwt_service_container_http_host_bind_port }}:8080 \
+    --network={{ matrix_livekit_jwt_service_container_network }} \
+    {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
+    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} \
     {% endif %}
-    --env-file={{ matrix_jwt_service_base_path }}/env \
-    --label-file={{ matrix_jwt_service_base_path }}/labels \
-    {{ matrix_jwt_service_image }}
+    --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
+    --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \
+    {{ matrix_livekit_jwt_service_container_image }}
 
-{% for network in matrix_jwt_service_container_additional_networks %}
-ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service
+{% for network in matrix_livekit_jwt_service_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-livekit-jwt-service
 {% endfor %}
 
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-jwt-service
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-jwt-service
 
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
 Restart=always
 RestartSec=30
-SyslogIdentifier=matrix-jwt-service
+SyslogIdentifier=matrix-livekit-jwt-service
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

roles/custom/matrix-livekit-jwt-service/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+matrix_livekit_jwt_service_public_url: "{{ matrix_livekit_jwt_service_scheme }}://{{ matrix_livekit_jwt_service_hostname }}"

roles/custom/matrix-livekit-server/defaults/main.yml

@@ -12,7 +12,7 @@ livekit_server_gid: ''
 livekit_server_base_path: "/{{ livekit_server_identifier }}"
 livekit_server_config_path: "{{ livekit_server_base_path }}/config"
 
-# renovate: datasource=docker depName=livekit/livekit-server
+# renovate: datasource=docker depName=docker.io/livekit/livekit-server
 livekit_server_version: v1.8.0
 
 livekit_server_scheme: https
@@ -73,11 +73,11 @@ livekit_server_container_labels_traefik_additional_response_headers_auto: |
   }}
 livekit_server_container_labels_traefik_additional_response_headers_custom: {}
 
-# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# livekit_server_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
-# matrix_client_element_container_labels_additional_labels: |
+# livekit_server_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 livekit_server_container_labels_additional_labels: ''
@@ -88,8 +88,11 @@ livekit_server_container_extra_arguments: []
 # Additional environment variables for the container
 livekit_server_environment_variables_additional: {}
 
-# List of systemd services that matrix-element-call.service depends on
-livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+# List of systemd services that LiveKit Server service depends on
+livekit_server_systemd_required_services_list: "{{ livekit_server_systemd_required_services_list_default + livekit_server_systemd_required_services_list_auto + livekit_server_systemd_required_services_list_custom }}"
+livekit_server_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+livekit_server_systemd_required_services_list_auto: []
+livekit_server_systemd_required_services_list_custom: []
 
 # Specifies the value of the `X-XSS-Protection` header
 # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

roles/custom/matrix-livekit-server/tasks/install.yml

@@ -32,11 +32,43 @@
 - name: Ensure LiveKit Server container image is pulled
   community.docker.docker_image:
     name: "{{ livekit_server_container_image }}"
-    source: pull
-  register: livekit_image_result
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ livekit_server_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_container_image_force_pull }}"
+  when: "not livekit_server_container_image_self_build | bool"
+  register: result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: livekit_image_result is not failed
+  until: result is not failed
+
+- when: "livekit_server_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit Server repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ livekit_server_container_repo }}"
+        version: "{{ livekit_server_container_repo_version }}"
+        dest: "{{ livekit_server_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: livekit_server_git_pull_results
+
+    - name: Ensure LiveKit Server container image is built
+      community.docker.docker_image:
+        name: "{{ livekit_server_container_image }}"
+        source: build
+        force_source: "{{ livekit_server_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ livekit_server_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit Server container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ livekit_server_container_network }}"
+    driver: bridge
 
 - name: Ensure LiveKit Server systemd service is installed
   ansible.builtin.template:

roles/custom/matrix-livekit-server/templates/labels.j2

@@ -1,43 +1,47 @@
 {% if livekit_server_container_labels_traefik_enabled %}
 traefik.enable=true
 
-# Network configuration for Traefik
 {% if livekit_server_container_labels_traefik_docker_network %}
 traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }}
 {% endif %}
 
-traefik.http.services.matrix-livekit-server.loadbalancer.server.port={{ livekit_server_config_port }}
+traefik.http.services.{{ livekit_server_identifier }}.loadbalancer.server.port={{ livekit_server_config_port }}
 
 {% set middlewares = [] %}
 
 {% if livekit_server_container_labels_traefik_path_prefix != '/' %}
-traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$
-traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/
-{% set middlewares = middlewares + ['matrix-livekit-server-slashless-redirect'] %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + [livekit_server_identifier + '-server-slashless-redirect'] %}
 
-traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }}
-{% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + [livekit_server_identifier + '-strip-prefix'] %}
 {% endif %}
 
 {% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %}
-traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+traefik.http.middlewares.{{ livekit_server_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
 {% endfor %}
-{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %}
+{% set middlewares = middlewares + [livekit_server_identifier + '-add-headers'] %}
 {% endif %}
 
-traefik.http.routers.matrix-livekit-server.rule={{ livekit_server_container_labels_traefik_rule }}
+traefik.http.routers.{{ livekit_server_identifier }}.rule={{ livekit_server_container_labels_traefik_rule }}
+
 {% if livekit_server_container_labels_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-livekit-server.priority={{ livekit_server_container_labels_traefik_priority }}
+traefik.http.routers.{{ livekit_server_identifier }}.priority={{ livekit_server_container_labels_traefik_priority }}
 {% endif %}
-traefik.http.routers.matrix-livekit-server.service=matrix-livekit-server
+
+traefik.http.routers.{{ livekit_server_identifier }}.service={{ livekit_server_identifier }}
+
 {% if middlewares | length > 0 %}
-traefik.http.routers.matrix-livekit-server.middlewares={{ middlewares | join(',') }}
+traefik.http.routers.{{ livekit_server_identifier }}.middlewares={{ middlewares | join(',') }}
 {% endif %}
-traefik.http.routers.matrix-livekit-server.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }}
-traefik.http.routers.matrix-livekit-server.tls={{ livekit_server_container_labels_traefik_tls | to_json }}
+
+traefik.http.routers.{{ livekit_server_identifier }}.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.{{ livekit_server_identifier }}.tls={{ livekit_server_container_labels_traefik_tls | to_json }}
 {% if livekit_server_container_labels_traefik_tls %}
-traefik.http.routers.matrix-livekit-server.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }}
+traefik.http.routers.{{ livekit_server_identifier }}.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }}
 {% endif %}
 
 {% endif %}

roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2

@@ -1,8 +1,10 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=LiveKit Server
-After=docker.service
-Requires=docker.service
+{% for service in livekit_server_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
 
 [Service]
 Type=simple

roles/custom/matrix-livekit-server/vars/main.yml

@@ -1 +1,3 @@
 livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}"
+
+livekit_server_websocket_container_url: "ws://{{ livekit_server_identifier }}:{{ livekit_server_config_port}}"

setup.yml

@@ -49,6 +49,8 @@
 
     - galaxy/redis
     - galaxy/keydb
+    - galaxy/valkey
+
     - role: custom/matrix-authentication-service
     - custom/matrix-corporal
     - custom/matrix-appservice-draupnir-for-all
@@ -133,7 +135,7 @@
     - custom/matrix-pantalaimon
     - custom/matrix-element-call
     - custom/matrix-livekit-server
-    - custom/matrix-jwt-service
+    - custom/matrix-livekit-jwt-service
 
     - role: galaxy/postgres_backup