matrix-tuwunel: add Tuwunel homeserver role (#5200)

Tuwunel is a Matrix homeserver maintained by the matrix-construct
organisation. See https://matrix-construct.github.io/tuwunel/.

The rendered TOML emits only keys exposed as Ansible variables; the
rest fall back to tuwunel's upstream defaults. Anything not surfaced
can be set via the TUWUNEL_* env extension or by overriding the
template path.

Popular features Tuwunel adds variables for:

- OAuth2/OIDC identity providers (a list of `[[global.identity_provider]]`
  blocks; brand-aware defaults for Google, GitHub, Keycloak, MAS, etc)
- LDAP and JWT authentication
- Media storage providers (native local and S3 with multipart upload)
- RocksDB tuning (compression, direct_io, parallelism, online backups)
- Native TLS dual-protocol mode
- Blurhashing, Sentry crash reporting

Auto-wired from existing playbook globals: well-known client URL,
TURN/coturn, MatrixRTC LiveKit URL, federation.

The `tuwunel-migrate-from-conduwuit` tag performs a binary-swap
migration. Migration from any other Conduit derivative is unsupported
and would corrupt the database.

Signed-off-by: Jason Volk <jason@zemos.net>

roles/custom/matrix-tuwunel/tasks/install.yml

@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure tuwunel config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_tuwunel_config_path }}"
+    state: directory
+    mode: '0750'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+
+- name: Ensure tuwunel data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_tuwunel_data_path }}"
+    state: directory
+    mode: '0770'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+
+- name: Ensure tuwunel configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_tuwunel_template_tuwunel_config }}"
+    dest: "{{ matrix_tuwunel_config_path }}/tuwunel.toml"
+    mode: '0644'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_tuwunel_config_result
+
+- name: Ensure tuwunel support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_tuwunel_base_path }}/{{ item }}"
+    mode: '0640'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - labels
+    - env
+  register: matrix_tuwunel_support_files_result
+
+- name: Ensure tuwunel container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_tuwunel_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure tuwunel container image is pulled
+  community.docker.docker_image_pull:
+    name: "{{ matrix_tuwunel_container_image }}"
+    pull: always
+  register: matrix_tuwunel_container_image_pull_result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: matrix_tuwunel_container_image_pull_result is not failed
+
+- name: Ensure matrix-tuwunel.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-tuwunel.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-tuwunel.service"
+    mode: '0644'
+  register: matrix_tuwunel_systemd_service_result
+
+- name: Determine whether tuwunel needs a restart
+  ansible.builtin.set_fact:
+    matrix_tuwunel_restart_necessary: >-
+      {{
+        matrix_tuwunel_config_result.changed | default(false)
+        or matrix_tuwunel_support_files_result.changed | default(false)
+        or matrix_tuwunel_systemd_service_result.changed | default(false)
+        or matrix_tuwunel_container_image_pull_result.changed | default(false)
+      }}