After Install cant join Rooms

[corincorvus]

Hi,

i installed now Ansible with this vars.ml:

matrix_domain: domain.one
matrix_ssl_lets_encrypt_support_email: 'masked'
matrix_synapse_macaroon_secret_key: 'masked'
matrix_postgres_connection_password: 'masked'

matrix_synapse_enable_registration: true
matrix_synapse_federation_enabled: true
matrix_synapse_federation_domain_whitelist:
matrix_synapse_allow_public_rooms_over_federation: true

matrix_synapse_autocreate_auto_join_rooms: true
matrix_synapse_auto_join_rooms:
- '#masked
- '#masked'

# Nginx
matrix_ssl_retrieval_method: none
matrix_nginx_proxy_https_enabled: false
matrix_nginx_proxy_container_http_host_bind_port: '0.0.0.0:81'
matrix_nginx_proxy_container_federation_host_bind_port: '0.0.0.0:8449'
matrix_nginx_proxy_trust_forwarded_proto: true

# Coturn
matrix_coturn_enabled: false
matrix_synapse_turn_shared_secret: "masked"
matrix_synapse_turn_uris:
masked

# Ldap
matrix_synapse_ext_password_provider_ldap_enabled: true
matrix_synapse_ext_password_provider_ldap_uri: masked
matrix_synapse_ext_password_provider_ldap_start_tls: false
matrix_synapse_ext_password_provider_ldap_base: masked
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mailPrimaryAddress"
matrix_synapse_ext_password_provider_ldap_attributes_name: "displayname"
matrix_synapse_ext_password_provider_ldap_bind_dn: masked
matrix_synapse_ext_password_provider_ldap_bind_password: "masked"
matrix_synapse_ext_password_provider_ldap_filter: masked

# Registration
matrix_registration_enabled: true
matrix_registration_admin_secret: "masked"

# Adminweb
matrix_synapse_admin_enabled: true

# Signal
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_relaybot_enabled: true

# Discord
matrix_appservice_discord_enabled: true
matrix_appservice_discord_client_id: "masked"
matrix_appservice_discord_bot_token: "masked"

# Steam
matrix_mx_puppet_steam_enabled: true

# Instagram
matrix_mautrix_instagram_enabled: true

All is integrated except Nginx Proxy:

upstream matrix {
        server masked:81
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name matrix.masked;

    ssl on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate           masked
    ssl_certificate_key       masked
    location / {
        proxy_pass http://matrix;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 4096M;

    access_log            /var/log/nginx/matrix-access.log adv;
    error_log            /var/log/nginx/matrix-error.log notice;

   }
}

server {
    listen 8448 ssl http2 default_server;
    listen [::]:8448 ssl http2 default_server;
    server_name matrix.masked

    ssl on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate           masked
    ssl_certificate_key      masked
    location / {
        proxy_pass http://masked:8449;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 4096M;

    access_log            /var/log/nginx/matrixfed-access.log adv;
    error_log            /var/log/nginx/matrixfed-error.log notice;

    }
}

My problem is, i cant join external rooms like: #matrix-docker-ansible-deploy:devture.com And why my internal Adresses are "channelname:domain.one" and no "channel:matrix.domain.one"? Its confusing

[aaronraimist]

What does the self check say? https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/maintenance-checking-services.md

What does the federation tester say? https://federationtester.matrix.org/

And why my internal Adresses are "channelname:domain.one" and no "channel:matrix.domain.one"? Its confusing

@corincorvus if you host your own email, are your email addresses like user@email.domain.one? No they generally are not.

[corincorvus]

Self Check: TASK [matrix-synapse : Check Matrix Client API] *** fatal: [matrix.domain.one]: FAILED! => changed=false elapsed: 0 msg: 'Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Verbindungsaufbau abgelehnt>' redirected: false status: -1 url: https://matrix.domain.one/_matrix/client/versions ...ignoring

TASK [matrix-synapse : Fail if Matrix Client API not working] ***** fatal: [matrix.domain.one]: FAILED! => changed=false msg: 'Failed checking Matrix Client API is up at matrix.domain.one (checked endpoint: https://matrix.domain.one/_matrix/client/versions). Is Synapse running? Is port 443 open in your firewall? Full error: {''redirected'': False, ''url'': ''https://matrix.domain.one/_matrix/client/versions'', ''status'': -1, ''elapsed'': 0, ''changed'': False, ''failed'': True, ''msg'': ''Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Verbindungsaufbau abgelehnt>''}'

Fed Tester: connect: connection refused server name/.well-known result contains explicit port number: no SRV lookup done

srv entry:

_matrix-identity._tcp | c-lab.one | SRV | 1 443 matrix.domain.one| 3600 | 10

_matrix._tcp | c-lab.one | SRV | 1 443 matrix.domain.one| 3600 | 10

Its only a little bit confusing. on my old matrix server all channel and adresses was with the subdomain.

[aaronraimist]

Self Check: TASK [matrix-synapse : Check Matrix Client API] *** fatal: [matrix.domain.one]: FAILED! => changed=false elapsed: 0 msg: 'Status code was -1 and not [200]: Request failed: <urlopen error [Errno 111] Verbindungsaufbau abgelehnt>' redirected: false status: -1 url: https://matrix.domain.one/_matrix/client/versions ...ignoring

If Synapse is running, which you can check with sudo systemctl status matrix-synapse, then this error means your nginx is not configured properly.

Its only a little bit confusing. on my old matrix server all channel and adresses was with the subdomain.

If you are trying to act as that old server then you need to uninstall and reinstall with matrix_domain set to the server_name of your previous server.

[corincorvus]

Synapse is online and i can connect in and outside of my network

Do you have a good configuration?

In https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md i didnt find a nginx config. The Link of "template files in the matrix-nginx-proxy role." goes to 404 not found.

If you are trying to act as that old server then you need to uninstall and reinstall with matrix_domain set to the server_name of your previous server.

If i do that, i have "matrix.matrix.domain.one" on element web and address. I have much trouble with the server after do that.

[aaronraimist]

Do you have a good configuration?

You can import the files that the playbook generates. See the line in that file starting with "You can most likely directly use the config files installed by this playbook..." https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#using-your-own-external-nginx-webserver

https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1344 fixes the link

If i do that, i have "matrix.matrix.domain.one" on element web and address.

Right which is why using a plain domain as the server name was the recommended practice but you can't change the server name of the old server now.

I have much trouble with the server after do that.

As long as you are aware this is a completely new server with new users and rooms. Users from the old server will not be able to use this one until they register for a new account.

[corincorvus]

Ok i confused about the ip adresses and ports. There so different in the configs.

Connect Port is 81 Fed Port is 8449 (like in your documentation)

matrix-domain.conf location ^~ /_matrix/identity { proxy_pass http://127.0.0.1:8090; - goes to ip:8449?

location ^~ /_matrix/client/r0/user_directory/search { proxy_pass http://127.0.0.1:8090; - goes to ip:81?

location ~ ^/synapse-admin/(.*) { proxy_pass http://127.0.0.1:8766/$1; - ip:8766?

location ~* ^(/_matrix|/_synapse/client|/_synapse/admin) { proxy_pass http://127.0.0.1:12080; - ip:81?

In all configs 8090 -> 81 and 12088 -> 8449 in matrix-domain.conf?

In matrix-synapse.conf i dont know, which ports i need.

listen 12080 proxy_pass 127.0.0.1:8008 may be 81 localhost:8048 ???

server {
    listen 12080;
    server_name matrix-nginx-proxy;

    server_tokens off;
    root /dev/null;

    gzip on;
    gzip_types text/plain application/json;

    location / {
            proxy_pass http://127.0.0.1:8008;

        proxy_set_header Host $host;

        client_body_buffer_size 25M;
        client_max_body_size 50M;
        proxy_max_temp_file_size 0;
    }
}

server {
    listen 12088;

    server_name matrix-nginx-proxy;
    server_tokens off;

    root /dev/null;

    gzip on;
    gzip_types text/plain application/json;

    location / {
            proxy_pass http://localhost:8048;

        proxy_set_header Host $host;

        client_body_buffer_size 25M;
        client_max_body_size 150M;
        proxy_max_temp_file_size 0;
    }
}

On Element Config

location / {
        proxy_pass http://127.0.0.1:8765; goes to ip:81?

[corincorvus]

Nobody?

[corincorvus]

Hi,

iam a little bit forward.

This Weekend i had time to show all configs and i found some problems and solve them.

I add _matrix._tcp with 8448 (i forgotted) and i changed 8448 port to my reverse proxy. Before i used Ansible, my own matrix server has certificates on his server and i routed fed directly to my matrix server.

In vars.yml i added: matrix_well_known_matrix_server_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/matrix.domain.one/fullchain.pem matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/matrix.domain.one/privkey.pem

My nginx configuration on top is the same and i get a Report in the Fed Tester:

It is possible that the MatchingServerName error below is caused by you entering the wrong URL in the federation tester, not because there is an actual issue with your federation. You should enter the server name into the Federation Tester, not the location where your server is. The server name is the public facing name of your server that appears at the end of usernames and room aliases.

DNS results

server name/.well-known result contains explicit port number: no SRV lookup done

Well known test with Link: (Addresses are the same) https://matrix.domain.one/.well-known/matrix/client

What i have to add in my configuration, to solve the last Problem? The Problem with joining rooms persists The matrix server self test error persists but all is fine. All can connect, all can write and send images and videos. I only cant add channel addresses

[aaronraimist]

The _matrix._tcp SRV record is not normally used with matrix-docker-ansible-deploy. The recommend setup is to use .well-known delegation.

[aaronraimist]

Also make sure you are typing the base domain into the federation tester. Do not include the matrix subdomain.

[corincorvus]

How i add .well-known in my reverse proxy settings? i tried the part in the delegation documentation, but it wont work. i remove _matrix._tcp

if i only use my base domain i get this error: SRV record target matrix.domain.one. is a CNAME record, which is forbidden (as per RFC2782)

My Server is behind a nat and dynamic dns. i only can use cname.

[aaronraimist]

You already said you can access https://matrix.domain.one/.well-known/matrix/client so it is probably already working. The .well-known for federation is at https://domain.one/.well-known/matrix/server.

[corincorvus]

Server Address makes 404 nginx Client Address run

[corincorvus]

Now i removes _matrix._tcp and i tested with fed Tester.

With base domain on Fed Tester i get the domain provider server of my mails and not my ip address of my matrix and other servers. i need to work with subdomains, cause i only can use them with cname records to my dynamic dns and home server. base dn goes to internet provider where i bought my domain and mail server.

you can see the last ip part. internet provider is 11

my external part is 206 (here test with matrix.domain.one)

[aaronraimist]

So you do not control the base domain? domain.one

[corincorvus]

I can control my base Domain. if i change it, i cant use the mailserver. i need to use the mailserver, cause i dont have one. So i only have subdomains for my services.

[aaronraimist]

If you can run a basic web server on the base domain then this .well-known would work. You should be able to run a web server and a mail server on the same domain.

Otherwise if you can't run a web server on the base domain:

• you'll either have to set your server name to include the matrix subdomain
• or you need to use get TLS certificates in using a DNS-01 challenge and then use SRV for delegation. matrix-docker-ansible-deploy won't get a TLS certificate in that way, you'll have to configure it yourself.

[corincorvus]

I cant. i need to work with subdomain. this is the reason, why i ask this:

If i do that, i have "matrix.matrix.domain.one" on element web and address.

Right which is why using a plain domain as the server name was the recommended practice but you can't change the server name of the old server now.

i cant change the server_name after configuration and user using the server.... or can i migrate this? i wont start again by zero after a month to bring ansible matrix to work with bridges and other...

certificate how i get this? i never heard about it.

[aaronraimist]

i cant change the server_name after configuration and user using the server.... or can i migrate this?

Correct you cannot change it once it is set. You would have to delete Synapse's database and start over. You can keep your vars.yml configuration file though with all of your bridge configuration. The only you need to change in there is the matrix_domain at the top.

certificate how i get this? i never heard about it.

I don't know much about it but it should be a method of getting a certificate that will work with the SRV record. https://duckduckgo.com/?t=ffab&q=certbot+DNS-01&ia=web

[corincorvus]

Yeah but i need to create all spaces and channels again. i have huge communities in my matrix (before multiple rocketchat servers) and i have to create 20 spaces with ~30 channels. its very much work and time. i started 2 times already and now in worst case i must start over again.....

how i can solve the problem with matrix.matrix.domain.one if i restart it?

[corincorvus]

Please add this part for "only subdomain admins" in the documentation. It can be annoying and frustrating if you start with this playbook and after you configure all this step will kick your server.

[aaronraimist]

Yes it is annoying to restart so you should try to get the DNS-01 challenge working. That is your best option at this point.

[corincorvus]

Ok i will check it.

In worst case, how i can solve the problem with "double matrix.matrix.domain.tld", if i start over?

[aaronraimist]

I mean that's not really a problem. The user is never really going to see matrix.matrix.domain.tld. If it is a problem for you then you would need to configure your own web server to handle that differently.

[corincorvus]

The element Web client shows matrix.matrix.domain.tld and i couldnt establish a connection to my server. This Problem i got on my first installation with the Playbook. Many Users use the Webclient, so its a problem.

[aaronraimist]

That just means you didn't configure nginx correctly. There's no functional difference between one subdomain and two subdomains.

[corincorvus]

It was the same configuration in my first Post. The Element web client dont work in this Case and show matrix.matrix.domain.tld. "Its not a correct matrix server url".

The desktop and Mobile Element and Element.io web client work, if you use the matrix.domain.tld.

upstream matrix {
        server masked:81
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name matrix.masked;

    ssl on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate           masked
    ssl_certificate_key       masked
    location / {
        proxy_pass http://matrix;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 4096M;

    access_log            /var/log/nginx/matrix-access.log adv;
    error_log            /var/log/nginx/matrix-error.log notice;

   }
}

server {
    listen 8448 ssl http2 default_server;
    listen [::]:8448 ssl http2 default_server;
    server_name matrix.masked

    ssl on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate           masked
    ssl_certificate_key      masked
    location / {
        proxy_pass http://masked:8449;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 4096M;

    access_log            /var/log/nginx/matrixfed-access.log adv;
    error_log            /var/log/nginx/matrixfed-error.log notice;

    }
}

[aaronraimist]

It's not going to work right now because your server is not setup for that. Right now matrix_domain is set to the base domain so matrix.domain will exist but matrix.matrix.domain won't exist. It only would in the future if you reinstalled and set matrix_domain: matrix.domain

[corincorvus]

it wont work with dns-01 challenge or i do something wrong... so i restart satturday night...

the element web client didnt work while my domain_name was matrix.domain.tld and not base domain.

i will screenshot the problem on sunday i think.

[corincorvus]

Hi,

today i changed my Server and start over with server_name in vars.yml with subdomain.domain.tld. Deleted postgres DB and new start.

The Problems persists. The Certification is the cert for this subdomain.

Here is my vars.yml. Maybe i did something wrong?

i only can use the subdomain (for your information)

Login and use the Server itself work fine.

matrix_domain: matrix.domain.tld
matrix_ssl_lets_encrypt_support_email: 'masked'
matrix_synapse_macaroon_secret_key: 'masked'
matrix_postgres_connection_password: 'masked'

matrix_synapse_enable_registration: true
matrix_synapse_federation_enabled: true
matrix_synapse_federation_domain_whitelist:
matrix_synapse_allow_public_rooms_over_federation: true
matrix_synapse_max_upload_size_mb: 1024

matrix_synapse_autocreate_auto_join_rooms: true
matrix_synapse_auto_join_rooms:
- '#ankuendigungen:domain.tld'
- '#spaces:domain.tld'

# Nginx
matrix_ssl_retrieval_method: none
matrix_well_known_matrix_server_enabled: false
matrix_nginx_proxy_https_enabled: false
matrix_nginx_proxy_container_http_host_bind_port: '0.0.0.0:81'
matrix_nginx_proxy_container_federation_host_bind_port: '0.0.0.0:8449'
matrix_nginx_proxy_trust_forwarded_proto: true
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/matrix.domain.tld/fullchain.pem
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/matrix.domain.tld/privkey.pem

# Coturn
matrix_coturn_enabled: false
matrix_synapse_turn_shared_secret: "masked"
matrix_synapse_turn_uris:
- turns:turn.domain.tld?transport=udp
- turns:turn.domain.tld?transport=tcp
- turn:turn.domain.tld?transport=udp
- turn:turn.domain.tld?transport=tcp

# Ldap
matrix_synapse_ext_password_provider_ldap_enabled: true
matrix_synapse_ext_password_provider_ldap_uri: "masked"
matrix_synapse_ext_password_provider_ldap_start_tls: false
matrix_synapse_ext_password_provider_ldap_base: "masked"
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mailPrimaryAddress"
matrix_synapse_ext_password_provider_ldap_attributes_name: "displayname"
matrix_synapse_ext_password_provider_ldap_bind_dn: "masked"
matrix_synapse_ext_password_provider_ldap_bind_password: "masked"
matrix_synapse_ext_password_provider_ldap_filter: "(|(masked))"

# Registration
matrix_registration_enabled: false
matrix_registration_admin_secret: "masked"

# Adminweb
matrix_synapse_admin_enabled: true

# Signal
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_relaybot_enabled: true

permissions:
  '*': relay
  YOUR_DOMAIN: user

# Discord
matrix_appservice_discord_enabled: true
matrix_appservice_discord_client_id: "masked"
matrix_appservice_discord_bot_token: "masked"

# Steam
matrix_mx_puppet_steam_enabled: true

# Instagram
matrix_mautrix_instagram_enabled: true

[corincorvus]

Ok. Now i solve this Problem and have another Problem.

If i write my subdomain.domain.tld it say: its no matrix homeserver url

If i check /matrix/synapse/config/homeserver.yaml all urls and cert files have matrix.matrix (public_baseurl too). If i try homeserverurl matrix.matrix.domain.tld, it not work.

how i can solve this problem?

[corincorvus]

I read some code and found the main.yml of matrix-base.

I change this:

# Example value: example.com
matrix_domain: ~
matrix_xy_basedn: domain.tld

# This is where your data lives and what we set up.
# This and the Element FQN (see below) are expected to be on the same server.
matrix_server_fqn_matrix: "{{ matrix_domain }}"

# This is where you access federation API.
matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'

# This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default).
# This and the Matrix FQN (see above) are expected to be on the same server.
matrix_server_fqn_element: "element.{{ matrix_xy_basedn }}"

# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_xy_basedn }}"

# This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_xy_basedn }}"

# For use with Go-NEB! (github callback url for example)
matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_xy_basedn }}"

# This is where you access Jitsi.
matrix_server_fqn_jitsi: "jitsi.{{ matrix_xy_basedn }}"

# This is where you access Grafana.
matrix_server_fqn_grafana: "stats.{{ matrix_xy_basedn }}"

# This is where you access the Sygnal push gateway.
matrix_server_fqn_sygnal: "sygnal.{{ matrix_xy_basedn }}"

and it works. I have Federation, i joined the Playbook Matrix channel and the Matrix Server is usable.

May this can add in any case for subdomain Users without base domain control like me on 24 locations/domains for Communities and societies.

[juergen852]

@corincorvus I have the same problem. Did you edit /matrix-docker-ansible-deploy/roles/custom/matrix-base/defaults/main.yml ?

Why did you close the issue? Should "subdomains / not pure server.tld web access" not be possible as an option with the script?

[juergen852]

With standard install, I get same image from FedTester as corincorvus .well-known seems to work, but FedTest shows error.

https://matrix.domainname.at/.well-known/matrix/client gives: { "im.vector.riot.e2ee": { "default": true }, "io.element.e2ee": { "default": true, "secure_backup_required": false, "secure_backup_setup_methods": [] }, "m.homeserver": { "base_url": "https://matrix.domainname.at" } }

https://matrix.domainname.at/.well-known/matrix/server: { "m.server": "matrix.domainname.at:8448" }

[aaronraimist]

@juergen852 I would suggest you ask in #matrix-docker-ansible-deploy:devture.com or open a new issue.

Did you edit /matrix-docker-ansible-deploy/roles/custom/matrix-base/defaults/main.yml ?

You should not edit anything inside the roles folder.

[corincorvus]

@corincorvus I have the same problem. Did you edit /matrix-docker-ansible-deploy/roles/custom/matrix-base/defaults/main.yml ?

Why did you close the issue? Should "subdomains / not pure server.tld web access" not be possible as an option with the script?

You can already use "Subdomain Setup" https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-dns.md

You no need to change some main.yml. You can edit the vars.yml like this: matrix_domain: matrix.domain.tld matrix_server_fqn_matrix: "matrix.domain.tld" matrix_server_fqn_element: "element.domain.tld" matrix_server_fqn_dimension: "dimension.domain.tld" matrix_server_fqn_jitsi: "jitsi.domain.tld" matrix_server_fqn_hydrogen: "hydrogen.domain.tld" matrix_server_fqn_bot_go_neb: "goneb.domain.tld" matrix_server_fqn_grafana: "stats.domain.tld" matrix_server_fqn_sygnal: "sygnal.domain.tld"

[juergen852]

Install is on fresh Ubuntu 22.04 cloud VPS at Hetzner and I've set the DNS and all CNAMEs and even Reverse DNS. Nothing else installed, just matrix.

Modified Files:

• /matrix-docker-ansible-deploy/inventory/host_vars/matrix.domain1.at/vars.yml I set: matrix_domain: domain1.at (Using matrix.domain1.at results in matrix.matrix.domain1.at error at letsencrypt)
• /matrix-docker-ansible-deploy/inventory/hosts : Edit [matrix_servers] matrix.domain1.at ansible_host=95.xxx.xxx.108 ansible_ssh_user=root
• Rules are all vanilla

After setting the following definitions at the END of /matrix-docker-ansible-deploy/inventory/hostvars/matrix.domain1.at/vars.yml (because original script changes ntfy to ntfx.matrix.domain1.at ( put it after "matrix_server_fqn_ntfy: "ntfy.{{ matrixdomain }}" at around line 95) and neither letsencrypt nor clients would accept) it finally worked !!

matrix_domain: matrix.domain.tld matrix_server_fqn_matrix: "matrix.domain.tld" matrix_server_fqn_element: "element.domain.tld" matrix_server_fqn_dimension: "dimension.domain.tld" matrix_server_fqn_jitsi: "jitsi.domain.tld" matrix_server_fqn_hydrogen: "hydrogen.domain.tld" matrix_server_fqn_bot_go_neb: "goneb.domain.tld" matrix_server_fqn_grafana: "stats.domain.tld" matrix_server_fqn_sygnal: "sygnal.domain.tld" matrix_server_fqn_ntfy: "ntfy.domain.tld"

Big thanks @corincorvus and @aaronraimist