chore: publish 7.1.0+v1.149.1 release

.env.sample

@@ -19,6 +19,82 @@ SECRET_FORM_SECRET_VERSION=v1
 SECRET_MACAROON_VERSION=v1
 SECRET_REGISTRATION_VERSION=v1
 
+## Authentication
+
+# All login / SSO / MAS-related toggles in one place.
+
+### Local password & registration (Synapse native)
+
+# With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service.
+PASSWORD_LOGIN_ENABLED=true
+ENABLE_REGISTRATION=false
+
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
+#REGISTRATION_REQUIRES_TOKEN=true
+
+### OIDC via Keycloak-shaped API (e.g. Authentik)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#KEYCLOAK_ENABLED=1
+#KEYCLOAK_ID=keycloak
+#KEYCLOAK_NAME=
+#KEYCLOAK_URL=
+#KEYCLOAK_CLIENT_ID=
+#KEYCLOAK_CLIENT_DOMAIN=
+#KEYCLOAK_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
+
+### Second OIDC provider (compose.keycloak2.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
+#KEYCLOAK2_ENABLED=1
+#KEYCLOAK2_ID=keycloak2
+#KEYCLOAK2_NAME=
+#KEYCLOAK2_URL=
+#KEYCLOAK2_CLIENT_ID=
+#KEYCLOAK2_CLIENT_DOMAIN=
+#KEYCLOAK2_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
+
+### Third OIDC provider (compose.keycloak3.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
+#KEYCLOAK3_ENABLED=1
+#KEYCLOAK3_ID=keycloak3
+#KEYCLOAK3_NAME=
+#KEYCLOAK3_URL=
+#KEYCLOAK3_CLIENT_ID=
+#KEYCLOAK3_CLIENT_DOMAIN=
+#KEYCLOAK3_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
+
+### Matrix Authentication Service (MAS) — Element X / OIDC-native auth
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
+#MAS_ENABLED=1
+#PASSWORD_LOGIN_ENABLED=false
+#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
+#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
+# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
+#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
+
+#### MAS upstream OIDC provider (e.g. Authentik)
+# Create a new OAuth2 app in your IdP with redirect URI: https://<DOMAIN>/upstream/callback/<MAS_UPSTREAM_PROVIDER_ID>
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mas-upstream.yml"
+#MAS_UPSTREAM_PROVIDER_ID=          # ULID, e.g. 01JSHPZHAXC50QBKH67MH33TNF — generate at https://www.ulidtools.com
+#MAS_UPSTREAM_ISSUER=               # e.g. https://auth.example.com/application/o/matrix-mas/
+#MAS_UPSTREAM_CLIENT_ID=
+#MAS_UPSTREAM_HUMAN_NAME=Authentik
+# For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
+#MAS_UPSTREAM_SYNAPSE_IDP_ID=
+#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1
+
+### Shared secret auth (bridges / automation)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
+#SHARED_SECRET_AUTH_ENABLED=1
+#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
+
 ## Federation
 
 #DISABLE_FEDERATION=1
@@ -28,14 +104,6 @@ SERVE_SERVER_WELLKNOWN=false
 
 ALLOW_PUBLIC_ROOMS_FEDERATION=false
 
-## Registration
-
-ENABLE_REGISTRATION=false
-PASSWORD_LOGIN_ENABLED=true
-
-# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
-#REGISTRATION_REQUIRES_TOKEN=true
-
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
@@ -98,30 +166,8 @@ RETENTION_MAX_LIFETIME=4w
 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
 #LOGIN_LIMIT_ACCOUNT_BURST=10
 
-## Keycloak SSO
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
-#KEYCLOAK_ENABLED=1
-#KEYCLOAK_ID=keycloak
-#KEYCLOAK_NAME=
-#KEYCLOAK_URL=
-#KEYCLOAK_CLIENT_ID=
-#KEYCLOAK_CLIENT_DOMAIN=
-#KEYCLOAK_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
-
 ## TURN
 
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
-#KEYCLOAK3_ENABLED=1
-#KEYCLOAK3_ID=keycloak3
-#KEYCLOAK3_NAME=
-#KEYCLOAK3_URL=
-#KEYCLOAK3_CLIENT_ID=
-#KEYCLOAK3_CLIENT_DOMAIN=
-#KEYCLOAK3_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
-
 #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
 #TURN_ENABLED=1
 #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
@@ -189,12 +235,6 @@ RETENTION_MAX_LIFETIME=4w
 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
 
-## Shared auth
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
-#SHARED_SECRET_AUTH_ENABLED=1
-#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
-
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com
 

README.md

@@ -45,6 +45,50 @@ See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for m
 
 You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome.
 
+### Matrix Authentication Service (MAS)
+
+[MAS](https://element-hq.github.io/matrix-authentication-service/) is Element’s OAuth/OIDC-native auth service for Matrix: it handles login, tokens, and upstream IdPs while Synapse delegates authentication via `matrix_authentication_service`.
+
+**Enable the stack:**
+
+- In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines.
+- `abra app secret generate YOURAPPDOMAIN`
+- **Manually insert** the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION` (`generate=false` in `.env.sample`) — abra cannot generate that format; see the comment there (e.g. `openssl genrsa 2048` piped to `abra app secret insert`).
+- `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres)
+- `abra app deploy YOURAPPDOMAIN`
+
+**If you plan to migrate an existing homeserver with `syn2mas`:** deploy and configure MAS as above, but **leave `MAS_ENABLED=1` commented** until migration and cutover are done, so Synapse keeps using your current login path until you intentionally switch. You cannot use Synapse legacy OIDC/Keycloak SSO alongside MAS; plan IdP apps and envs accordingly.
+
+<details>
+<summary><strong>Migrating an existing server (<code>syn2mas</code>)</strong></summary>
+
+Requires PostgreSQL on Synapse and a dedicated MAS database. Backup Postgres (and configs) before you start. Official background: [MAS migration guide](https://element-hq.github.io/matrix-authentication-service/setup/migration.html).
+
+1. **Prepare (Synapse still running):** With MAS in `COMPOSE_FILE` but **`MAS_ENABLED` still off**, deploy, then run checks from your machine:
+   ```bash
+   abra app cmd YOURAPPDOMAIN prepare_mas_migration
+   ```
+   This fetches rendered `homeserver.yaml` into the MAS container, runs `syn2mas check`, then `migrate --dry-run` (the dry run rolls back MAS data at the end). The file stays in the MAS container until next restart, so you can repeat this step to provide the file for the actual migration.
+
+2. **Optional snapshot:** save a copy of the rendered config while `app` is up, e.g. `abra app run -t YOURAPPDOMAIN app cat /data/homeserver.yaml > homeserver.snapshot.yaml`.
+
+3. **Downtime — stop Synapse:** run on the **host** with Docker/Swarm access (not inside a container), e.g.:
+   ```bash
+   docker service scale <STACK_NAME>_app=0
+   ```
+   Use the real service name from `docker service ls` (suffix `_app`).
+
+4. **Migration:** with MAS still running and Synapse at zero replicas,
+   ```bash
+   abra app run YOURAPPDOMAIN mas -- mas-cli syn2mas migrate \
+     --config /etc/mas/config.yaml \
+     --synapse-config /tmp/homeserver.yaml
+   ```
+
+5. **Cutover:** in `.env`, set `MAS_ENABLED=1`, `PASSWORD_LOGIN_ENABLED=false`, remove legacy Keycloak/SSO envs, then `abra app deploy YOURAPPDOMAIN` (Synapse comes back with MAS delegation). `syn2mas` does not write to the Synapse database; if you abort before serving traffic through MAS, you can often drop and recreate the MAS DB and revert env.
+
+</details>
+
 ## Bridges
 For all Bridges:
 - Setting it up is a bit of a chicken/egg & chasing cats moment.
@@ -52,6 +96,9 @@ For all Bridges:
 - include the registration in synapse, e.g. `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
 - and set yourself as admin, e.g.: `TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@akadmin:example.com\": \"admin\"}"`
 
+> [!IMPORTANT]
+> The shared secret authenticator may break when matrix-synapse uses a newer python version with an error stating something like "module not found". You have to fix the path in the compose.shared_secret_auth.yml like [here](https://git.coopcloud.tech/coop-cloud/matrix-synapse/commit/3d1350533079ce1ad3bea92039fe003684589b95)
+
 ### Telegram bridging
 
 You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:

abra.sh

@@ -1,16 +1,63 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v35
+export HOMESERVER_YAML_VERSION=v36
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v2
 export SIGNAL_BRIDGE_YAML_VERSION=v6
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v12
+export NGINX_CONFIG_VERSION=v13
 export WK_SERVER_VERSION=v1
-export WK_CLIENT_VERSION=v1
+export WK_CLIENT_VERSION=v2
+export MAS_CONFIG_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ADMIN_CONFIG_VERSION=v1
 
+ensure_mas_database () {
+    if ! psql -U synapse -d postgres -v ON_ERROR_STOP=1 -Atqc "SELECT 1 FROM pg_database WHERE datname = 'mas'" | grep -qx 1
+    then
+        psql -U synapse -d postgres -v ON_ERROR_STOP=1 -c "CREATE DATABASE mas OWNER synapse"
+    fi
+}
+
+# Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run.
+prepare_mas_migration () {
+    local hs_local syn_cfg
+
+    syn_cfg=/tmp/homeserver.yaml
+
+    cleanup_prepare_mas_migration() {
+        rm -f "homeserver.yaml"
+    }
+    trap cleanup_prepare_mas_migration EXIT
+
+    echo "Fetching /data/homeserver.yaml from app to homeserver.yaml (abra app run … cat)..."
+    if ! abra app run -t "$DOMAIN" app cat /data/homeserver.yaml > "homeserver.yaml"
+    then
+        return 1
+    fi
+    if [ ! -s "homeserver.yaml" ]; then
+        echo "Error: fetched homeserver.yaml is empty." >&2
+        return 1
+    fi
+
+    echo "Copying into mas:/tmp"
+    abra app cp "$DOMAIN" "homeserver.yaml" "mas:/tmp" || return 1
+
+    echo "Running mas-cli syn2mas check..."
+    abra app run -t "$DOMAIN" mas -- mas-cli syn2mas check \
+        --config /etc/mas/config.yaml \
+        --synapse-config "$syn_cfg" || return 1
+
+    echo "Running mas-cli syn2mas migrate --dry-run..."
+    abra app run -t "$DOMAIN" mas -- mas-cli syn2mas migrate \
+        --config /etc/mas/config.yaml \
+        --synapse-config "$syn_cfg" \
+        --dry-run || return 1
+
+    trap - EXIT
+    cleanup_prepare_mas_migration
+}
+
 set_admin () {
     admin=akadmin
     if [ -n "$1" ]

compose.mas-upstream.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+# Upstream OIDC provider for MAS (e.g. Authentik, Keycloak).
+# Requires compose.mas.yml. Adds the client secret and env vars needed by mas.config.yaml.tmpl.
+
+services:
+  mas:
+    environment:
+      - MAS_UPSTREAM_PROVIDER_ID
+      - MAS_UPSTREAM_ISSUER
+      - MAS_UPSTREAM_CLIENT_ID
+      - MAS_UPSTREAM_HUMAN_NAME
+      - MAS_UPSTREAM_SYNAPSE_IDP_ID
+    secrets:
+      - mas_upstream_client_secret
+
+secrets:
+  mas_upstream_client_secret:
+    external: true
+    name: ${STACK_NAME}_mas_upstream_client_secret_${SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION}

compose.mas.yml

@@ -0,0 +1,64 @@
+---
+version: "3.8"
+
+# Matrix Authentication Service (MAS) — optional overlay for Element X / OIDC-native auth.
+
+services:
+  mas:
+    image: ghcr.io/element-hq/matrix-authentication-service:1.14.0
+    command: ["server", "--config=/etc/mas/config.yaml"]
+    environment:
+      - DOMAIN
+      - SERVER_NAME
+      - STACK_NAME
+    networks:
+      - internal
+    configs:
+      - source: mas_config
+        target: /etc/mas/config.yaml
+    secrets:
+      - db_password
+      - mas_encryption
+      - mas_synapse_shared
+      - mas_signing_rsa
+    # Official image is distroless (no curl/wget); upstream suggests `mas-cli config check` for probes.
+    # See https://github.com/element-hq/matrix-authentication-service/issues/3741 — validates config, not HTTP.
+    # GET /health is still served (resource `health` in mas.config.yaml.tmpl) for probes from other images.
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "/usr/local/bin/mas-cli",
+          "--config",
+          "/etc/mas/config.yaml",
+          "config",
+          "check",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+  app:
+    secrets:
+      - mas_synapse_shared
+
+configs:
+  mas_config:
+    name: ${STACK_NAME}_mas_config_${MAS_CONFIG_VERSION}
+    file: mas.config.yaml.tmpl
+    template_driver: golang
+
+secrets:
+  mas_encryption:
+    external: true
+    name: ${STACK_NAME}_mas_encryption_${SECRET_MAS_ENCRYPTION_VERSION}
+  mas_synapse_shared:
+    external: true
+    name: ${STACK_NAME}_mas_synapse_shared_${SECRET_MAS_SYNAPSE_SHARED_VERSION}
+  mas_signing_rsa:
+    external: true
+    name: ${STACK_NAME}_mas_signing_rsa_${SECRET_MAS_SIGNING_RSA_VERSION}

compose.shared_secret_auth.yml

@@ -9,7 +9,7 @@ services:
       - shared_secret_auth
     configs:
       - source: shared_secret_auth
-        target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
+        target: /usr/local/lib/python3.13/site-packages/shared_secret_authenticator.py
 
 configs:
   shared_secret_auth:

compose.yml

@@ -10,6 +10,7 @@ services:
     environment:
       - DOMAIN
       - STACK_NAME
+      - MAS_ENABLED
       - NGINX_ACCESS_LOG_LOCATION
       - NGINX_ERROR_LOG_LOCATION
       - MAX_UPLOAD_SIZE
@@ -22,7 +23,7 @@ services:
         target: /var/www/.well-known/matrix/client
     deploy:
       restart_policy:
-        condition: on-failure
+        condition: any
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
@@ -33,8 +34,8 @@ services:
       test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
       interval: 30s
       timeout: 15s
-      retries: 30
+      retries: 90
-      start_period: 1m
+      start_period: 2m
 
   app:
     image: "matrixdotorg/synapse:v1.149.1"
@@ -46,6 +47,7 @@ services:
       - macaroon
       - form_secret
     environment:
+      - MAS_ENABLED
       - ALLOWED_LIFETIME_MAX
       - ALLOW_PUBLIC_ROOMS_FEDERATION
       - AUTO_JOIN_ROOM
@@ -106,7 +108,7 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "coop-cloud.${STACK_NAME}.version=7.0.0+v1.149.1"
+        - "coop-cloud.${STACK_NAME}.version=7.1.0+v1.149.1"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]

homeserver.yaml.tmpl

@@ -17,19 +17,27 @@ server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
 public_baseurl: https://{{ env "DOMAIN" }}/
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
+{{ if (env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS") }}
 require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
+{{ end }}
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
+{{ if (env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS") }}
 limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
+{{ if (env "SERVE_SERVER_WELLKNOWN") }}
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
 allow_public_rooms_without_auth: false
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
-allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
+{{ if (env "ALLOW_PUBLIC_ROOMS_FEDERATION") }}
+allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
 listeners:
@@ -64,7 +72,9 @@ delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
+{{ if (env "ADMIN_EMAIL") }}
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
 limit_remote_rooms:
@@ -81,19 +91,27 @@ forgotten_room_retention_period: 3d
 request_token_inhibit_3pid_errors: true
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
+{{ if (env "REDACTION_RETENTION_PERIOD") }}
 redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
+{{ if (env "USER_IPS_MAX_AGE") }}
 user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
 retention:
   enabled: true
   default_policy:
     min_lifetime: 1d
+    {{ if (env "RETENTION_MAX_LIFETIME") }}
     max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
+    {{ end }}
   allowed_lifetime_min: 1d
+  {{ if (env "ALLOWED_LIFETIME_MAX") }}
   allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
+  {{ end }}
   purge_jobs:
     - longest_max_lifetime: 3d
       interval: 12h
@@ -134,20 +152,30 @@ max_upload_size: 50M
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
 {{ if eq (env "TURN_ENABLED") "1" }}
+{{ if (env "TURN_URIS") }}
 turn_uris: {{ env "TURN_URIS" }}
+{{ end }}
 turn_shared_secret: "{{ secret "turn_shared_secret" }}"
 turn_user_lifetime: 1h
+{{ if (env "TURN_ALLOW_GUESTS") }}
 turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
+{{ if (env "ENABLE_REGISTRATION") }}
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
+{{ end }}
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
+{{ if (env "REGISTRATION_REQUIRES_TOKEN") }}
 registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
+{{ if (env "ENABLE_3PID_LOOKUP") }}
 enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access
 allow_guest_access: false
@@ -177,7 +205,9 @@ session_lifetime: {{ env "SESSION_LIFETIME" }}
 report_stats: false
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
+{{ if (env "TRACK_PUPPETED_USER_IPS") }}
 track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
+{{ end }}
 
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
@@ -216,7 +246,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -229,7 +261,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak2_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK2_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK2_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -243,7 +277,9 @@ oidc_providers:
     client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}"
     client_secret: "{{ secret "keycloak3_client_secret" }}"
     scopes: ["openid", "profile"]
+    {{ if (env "KEYCLOAK3_ALLOW_EXISTING_USERS") }}
     allow_existing_users: {{ env "KEYCLOAK3_ALLOW_EXISTING_USERS" }}
+    {{ end }}
     user_mapping_provider:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
@@ -259,8 +295,19 @@ sso:
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
+# With MAS (matrix_authentication_service), Synapse rejects password_config.enabled: true — set PASSWORD_LOGIN_ENABLED=false in app .env when MAS_ENABLED=1 (.env.sample).
+{{ if (env "PASSWORD_LOGIN_ENABLED") }}
 password_config:
    enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
+{{ end }}
+
+{{ if eq (env "MAS_ENABLED") "1" }}
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service
+matrix_authentication_service:
+  enabled: true
+  endpoint: http://{{ env "STACK_NAME"}}_mas:8080/
+  secret_path: /run/secrets/mas_synapse_shared
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
 {{ if eq (env "SMTP_ENABLED") "1" }}
@@ -277,19 +324,37 @@ email:
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
+{{ if (env "ENCRYPTED_BY_DEFAULT") }}
 encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
+{{ if or (env "USER_DIRECTORY_ENABLED") (env "USER_DIRECTORY_SEARCH_ALL_USERS") (env "USER_DIRECTORY_PREFER_LOCAL_USERS") (env "USER_DIRECTORY_SHOW_LOCKED_USERS") }}
 user_directory:
+  {{ if (env "USER_DIRECTORY_ENABLED") }}
   enabled: {{ env "USER_DIRECTORY_ENABLED" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_SEARCH_ALL_USERS") }}
   search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_PREFER_LOCAL_USERS") }}
   prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
+  {{ end }}
+  {{ if (env "USER_DIRECTORY_SHOW_LOCKED_USERS") }}
   show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
+  {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
+{{ if or (env "MEDIA_RETENTION_LOCAL_LIFETIME") (env "MEDIA_RETENTION_REMOTE_LIFETIME") }}
 media_retention:
+  {{ if (env "MEDIA_RETENTION_LOCAL_LIFETIME") }}
   local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
+  {{ end }}
+  {{ if (env "MEDIA_RETENTION_REMOTE_LIFETIME") }}
   remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
+  {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics
 enable_metrics: false
@@ -305,13 +370,21 @@ opentracing:
   enabled: false
 
 # https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
+{{ if or (and (env "LOGIN_LIMIT_IP_PER_SECOND") (env "LOGIN_LIMIT_IP_BURST")) (and (env "LOGIN_LIMIT_ACCOUNT_PER_SECOND") (env "LOGIN_LIMIT_ACCOUNT_BURST")) }}
 rc_login:
+{{ if and (env "LOGIN_LIMIT_IP_PER_SECOND") (env "LOGIN_LIMIT_IP_BURST") }}
   address:
     per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
     burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
+{{ end }}
+{{ if and (env "LOGIN_LIMIT_ACCOUNT_PER_SECOND") (env "LOGIN_LIMIT_ACCOUNT_BURST") }}
   account:
     per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
     burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}
+{{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location
+{{ if (env "WEB_CLIENT_LOCATION") }}
 web_client_location: {{ env "WEB_CLIENT_LOCATION" }}
+{{ end }}

mas.config.yaml.tmpl

@@ -0,0 +1,73 @@
+# Docs: https://element-hq.github.io/matrix-authentication-service/
+
+http:
+  public_base: https://{{ env "DOMAIN" }}/
+  trusted_proxies:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 127.0.0.0/8
+    - fd00::/8
+    - ::1/128
+  listeners:
+    - name: web
+      resources:
+        - name: discovery
+        - name: human
+        - name: oauth
+        - name: compat
+        - name: graphql
+          playground: false
+        - name: assets
+        # https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#httplisteners
+        - name: health
+      binds:
+        - address: "[::]:8080"
+
+database:
+  uri: postgresql://synapse:{{ secret "db_password" }}@{{ env "STACK_NAME" }}_db:5432/mas?sslmode=disable
+
+matrix:
+  kind: synapse
+  homeserver: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
+  endpoint: http://{{ env "STACK_NAME" }}_app:8008/
+  secret_file: /run/secrets/mas_synapse_shared
+
+secrets:
+  # Plain hex in file (abra: length=64 charset=hex). See .env.sample modifiers.
+  encryption_file: /run/secrets/mas_encryption
+  keys:
+    - key_file: /run/secrets/mas_signing_rsa
+
+passwords:
+  enabled: true
+  schemes:
+    - version: 1
+      algorithm: bcrypt
+      unicode_normalization: true
+    - version: 2
+      algorithm: argon2id
+
+{{ if env "MAS_UPSTREAM_PROVIDER_ID" }}
+# https://element-hq.github.io/matrix-authentication-service/setup/sso.html
+upstream_oauth2:
+  providers:
+    - id: {{ env "MAS_UPSTREAM_PROVIDER_ID" }}
+      {{ if env "MAS_UPSTREAM_SYNAPSE_IDP_ID" }}synapse_idp_id: {{ env "MAS_UPSTREAM_SYNAPSE_IDP_ID" }}{{ end }}
+      human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }}
+      issuer: {{ env "MAS_UPSTREAM_ISSUER" }}
+      client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }}
+      client_secret_file: /run/secrets/mas_upstream_client_secret
+      token_endpoint_auth_method: client_secret_basic
+      scope: "openid profile email"
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ "{{ user.preferred_username }}" }}"
+        displayname:
+          action: suggest
+          template: "{{ "{{ user.name }}" }}"
+        email:
+          action: suggest
+          template: "{{ "{{ user.email }}" }}"
+{{ end }}

nginx.conf.tmpl

@@ -15,6 +15,14 @@ http {
     keepalive 16;
   }
 
+{{ if eq (env "MAS_ENABLED") "1" }}
+  upstream mas_upstream {
+    zone mas_upstream 64k;
+    server {{ env "STACK_NAME"}}_mas:8080 resolve;
+    keepalive 8;
+  }
+{{ end }}
+
   server {
     listen 80;
 
@@ -32,7 +40,30 @@ http {
       proxy_http_version 1.1;
     }
     
-    location ~* ^(\/_matrix|\/_synapse\/client) {
+{{ if eq (env "MAS_ENABLED") "1" }}
+    # MAS on same Host as Synapse (public_base = https://$DOMAIN/): browser/OIDC paths live at repo root, not only under /_matrix/
+    # Router reference: element-hq/matrix-authentication-service crates/router/src/endpoints.rs
+    # https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html
+    location ~ ^/(complete-compat-sso/|oauth2/|\.well-known/(openid-configuration|webfinger|change-password)|authorize|login|logout|register(/|$)|account/|upstream/|consent/|link(\?|/|$)|device/|recover(/|$)|assets/|graphql(/|$)|api/) {
+      proxy_pass http://mas_upstream;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      client_max_body_size 50M;
+    }
+    # Matrix CS API compat (login / logout / refresh and subpaths, e.g. …/login/sso/redirect) — before generic /_matrix
+    location ~ ^/_matrix/client/[^/]+/(login|logout|refresh)(/.*)?$ {
+      proxy_pass http://mas_upstream;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      client_max_body_size 50M;
+    }
+{{ end }}
+
+    location ~* ^(\/_matrix|\/_synapse\/client|\/_synapse\/mas) {
       proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;

release/7.1.0+v1.149.1

@@ -0,0 +1 @@
+added matrix-authentication-service as opt-in to the recipe, see readme for details

well_known_client.conf.tmpl

@@ -1,5 +1,8 @@
 {
   "m.homeserver": {
     "base_url": "https://{{ env "DOMAIN" }}"
-  }
+  }{{ if eq (env "MAS_ENABLED") "1" }},
+  "org.matrix.msc2965.authentication": {
+    "issuer": "https://{{ env "DOMAIN" }}/"
+  }{{ end }}
 }