diff --git a/abra.sh b/abra.sh
index 28ee3eb..ff5b189 100644
--- a/abra.sh
+++ b/abra.sh
@@ -19,6 +19,45 @@ ensure_mas_database () {
     fi
 }
 
+# Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run.
+prepare_mas_migration () {
+    local hs_local syn_cfg
+
+    syn_cfg=/tmp/homeserver.yaml
+
+    cleanup_prepare_mas_migration() {
+        rm -f "homeserver.yaml"
+    }
+    trap cleanup_prepare_mas_migration EXIT
+
+    echo "Fetching /data/homeserver.yaml from app to homeserver.yaml (abra app run … cat)..."
+    if ! abra app run -t "$DOMAIN" app cat /data/homeserver.yaml > "homeserver.yaml"
+    then
+        return 1
+    fi
+    if [ ! -s "homeserver.yaml" ]; then
+        echo "Error: fetched homeserver.yaml is empty." >&2
+        return 1
+    fi
+
+    echo "Copying into mas:/tmp"
+    abra app cp -C "$DOMAIN" "homeserver.yaml" "mas:/tmp" || return 1
+
+    echo "Running mas-cli syn2mas check..."
+    abra app run -t "$DOMAIN" mas -- mas-cli syn2mas check \
+        --config /etc/mas/config.yaml \
+        --synapse-config "$syn_cfg" || return 1
+
+    echo "Running mas-cli syn2mas migrate --dry-run..."
+    abra app run -t "$DOMAIN" mas -- mas-cli syn2mas migrate \
+        --config /etc/mas/config.yaml \
+        --synapse-config "$syn_cfg" \
+        --dry-run || return 1
+
+    # trap - EXIT
+    # cleanup_prepare_mas_migration
+}
+
 set_admin () {
     admin=akadmin
     if [ -n "$1" ]
diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl
index 4e4cbe8..691f97d 100644
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@@ -17,19 +17,27 @@ server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
 public_baseurl: https://{{ env "DOMAIN" }}/
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
+{{ if (env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS") }}
 require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
+{{ end }}
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
+{{ if (env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS") }}
 limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
+{{ if (env "SERVE_SERVER_WELLKNOWN") }}
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
 allow_public_rooms_without_auth: false
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
-allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
+{{ if (env "ALLOW_PUBLIC_ROOMS_FEDERATION") }}
+allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
 listeners:
@@ -64,7 +72,9 @@ delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
+{{ if (env "ADMIN_EMAIL") }}
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
 limit_remote_rooms:
@@ -81,19 +91,27 @@ forgotten_room_retention_period: 3d
 request_token_inhibit_3pid_errors: true
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
+{{ if (env "REDACTION_RETENTION_PERIOD") }}
 redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
+{{ if (env "USER_IPS_MAX_AGE") }}
 user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
 retention:
   enabled: true
   default_policy:
     min_lifetime: 1d
+    {{ if (env "RETENTION_MAX_LIFETIME") }}
     max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
+    {{ end }}
   allowed_lifetime_min: 1d
+  {{ if (env "ALLOWED_LIFETIME_MAX") }}
   allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
+  {{ end }}
   purge_jobs:
     - longest_max_lifetime: 3d
       interval: 12h
@@ -134,20 +152,30 @@ max_upload_size: 50M
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
 {{ if eq (env "TURN_ENABLED") "1" }}
+{{ if (env "TURN_URIS") }}
 turn_uris: {{ env "TURN_URIS" }}
+{{ end }}
 turn_shared_secret: "{{ secret "turn_shared_secret" }}"
 turn_user_lifetime: 1h
+{{ if (env "TURN_ALLOW_GUESTS") }}
 turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
+{{ if (env "ENABLE_REGISTRATION") }}
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
+{{ end }}
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
+{{ if (env "REGISTRATION_REQUIRES_TOKEN") }}
 registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
+{{ if (env "ENABLE_3PID_LOOKUP") }}
 enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access
 allow_guest_access: false
@@ -177,7 +205,9 @@ session_lifetime: {{ env "SESSION_LIFETIME" }}
 report_stats: false
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
+{{ if (env "TRACK_PUPPETED_USER_IPS") }}
 track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
+{{ end }}
 
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
@@ -216,7 +246,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -229,7 +261,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak2_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK2_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK2_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -243,7 +277,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak3_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK3_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK3_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -260,8 +296,10 @@ sso:
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
 # With MAS (matrix_authentication_service), Synapse rejects password_config.enabled: true — set PASSWORD_LOGIN_ENABLED=false in app .env when MAS_ENABLED=1 (.env.sample).
+{{ if (env "PASSWORD_LOGIN_ENABLED") }}
 password_config:
    enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
+{{ end }}
 
 {{ if eq (env "MAS_ENABLED") "1" }}
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service
@@ -286,19 +324,37 @@ email:
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
+{{ if (env "ENCRYPTED_BY_DEFAULT") }}
 encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
+{{ if or (env "USER_DIRECTORY_ENABLED") (env "USER_DIRECTORY_SEARCH_ALL_USERS") (env "USER_DIRECTORY_PREFER_LOCAL_USERS") (env "USER_DIRECTORY_SHOW_LOCKED_USERS") }}
 user_directory:
+  {{ if (env "USER_DIRECTORY_ENABLED") }}
   enabled: {{ env "USER_DIRECTORY_ENABLED" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_SEARCH_ALL_USERS") }}
   search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_PREFER_LOCAL_USERS") }}
   prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_SHOW_LOCKED_USERS") }}
   show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
+  {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
+{{ if or (env "MEDIA_RETENTION_LOCAL_LIFETIME") (env "MEDIA_RETENTION_REMOTE_LIFETIME") }}
 media_retention:
+  {{ if (env "MEDIA_RETENTION_LOCAL_LIFETIME") }}
   local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
+  {{ end }}
+  {{ if (env "MEDIA_RETENTION_REMOTE_LIFETIME") }}
   remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
+  {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics
 enable_metrics: false
@@ -314,13 +370,21 @@ opentracing:
   enabled: false
 
 # https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
+{{ if or (and (env "LOGIN_LIMIT_IP_PER_SECOND") (env "LOGIN_LIMIT_IP_BURST")) (and (env "LOGIN_LIMIT_ACCOUNT_PER_SECOND") (env "LOGIN_LIMIT_ACCOUNT_BURST")) }}
 rc_login:
+{{ if and (env "LOGIN_LIMIT_IP_PER_SECOND") (env "LOGIN_LIMIT_IP_BURST") }}
   address:
     per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
     burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
+{{ end }}
+{{ if and (env "LOGIN_LIMIT_ACCOUNT_PER_SECOND") (env "LOGIN_LIMIT_ACCOUNT_BURST") }}
   account:
     per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
     burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}
+{{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location
+{{ if (env "WEB_CLIENT_LOCATION") }}
 web_client_location: {{ env "WEB_CLIENT_LOCATION" }}
+{{ end }}