add initial mas setup

.env.sample

@@ -19,6 +19,71 @@ SECRET_FORM_SECRET_VERSION=v1
 SECRET_MACAROON_VERSION=v1
 SECRET_REGISTRATION_VERSION=v1
 
+## Authentication
+
+# All login / SSO / MAS-related toggles in one place.
+
+### Local password & registration (Synapse native)
+
+# With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service.
+PASSWORD_LOGIN_ENABLED=true
+ENABLE_REGISTRATION=false
+
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
+#REGISTRATION_REQUIRES_TOKEN=true
+
+### OIDC via Keycloak-shaped API (e.g. Authentik)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#KEYCLOAK_ENABLED=1
+#KEYCLOAK_ID=keycloak
+#KEYCLOAK_NAME=
+#KEYCLOAK_URL=
+#KEYCLOAK_CLIENT_ID=
+#KEYCLOAK_CLIENT_DOMAIN=
+#KEYCLOAK_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
+
+### Second OIDC provider (compose.keycloak2.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
+#KEYCLOAK2_ENABLED=1
+#KEYCLOAK2_ID=keycloak2
+#KEYCLOAK2_NAME=
+#KEYCLOAK2_URL=
+#KEYCLOAK2_CLIENT_ID=
+#KEYCLOAK2_CLIENT_DOMAIN=
+#KEYCLOAK2_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
+
+### Third OIDC provider (compose.keycloak3.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
+#KEYCLOAK3_ENABLED=1
+#KEYCLOAK3_ID=keycloak3
+#KEYCLOAK3_NAME=
+#KEYCLOAK3_URL=
+#KEYCLOAK3_CLIENT_ID=
+#KEYCLOAK3_CLIENT_DOMAIN=
+#KEYCLOAK3_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
+
+### Matrix Authentication Service (MAS) — Element X / OIDC-native auth
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
+#MAS_ENABLED=1
+#PASSWORD_LOGIN_ENABLED=false
+#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
+#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
+# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
+#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
+
+### Shared secret auth (bridges / automation)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
+#SHARED_SECRET_AUTH_ENABLED=1
+#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
+
 ## Federation
 
 #DISABLE_FEDERATION=1
@@ -28,14 +93,6 @@ SERVE_SERVER_WELLKNOWN=false
 
 ALLOW_PUBLIC_ROOMS_FEDERATION=false
 
-## Registration
-
-ENABLE_REGISTRATION=false
-PASSWORD_LOGIN_ENABLED=true
-
-# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
-#REGISTRATION_REQUIRES_TOKEN=true
-
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
@@ -98,30 +155,8 @@ RETENTION_MAX_LIFETIME=4w
 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
 #LOGIN_LIMIT_ACCOUNT_BURST=10
 
-## Keycloak SSO
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
-#KEYCLOAK_ENABLED=1
-#KEYCLOAK_ID=keycloak
-#KEYCLOAK_NAME=
-#KEYCLOAK_URL=
-#KEYCLOAK_CLIENT_ID=
-#KEYCLOAK_CLIENT_DOMAIN=
-#KEYCLOAK_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
-
 ## TURN
 
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
-#KEYCLOAK3_ENABLED=1
-#KEYCLOAK3_ID=keycloak3
-#KEYCLOAK3_NAME=
-#KEYCLOAK3_URL=
-#KEYCLOAK3_CLIENT_ID=
-#KEYCLOAK3_CLIENT_DOMAIN=
-#KEYCLOAK3_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
-
 #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
 #TURN_ENABLED=1
 #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
@@ -189,12 +224,6 @@ RETENTION_MAX_LIFETIME=4w
 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
 
-## Shared auth
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
-#SHARED_SECRET_AUTH_ENABLED=1
-#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
-
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com