Stabilize Matrix Authentication Service integration for Synapse

Related to https://github.com/element-hq/synapse/pull/18759 Currently problematic (leading to failures to start for Synapse) because of: https://github.com/element-hq/synapse/pull/18759#issuecomment-3172744530
2026-04-11 08:24:38 +03:00 · 2025-08-14 09:18:26 +03:00
26 changed files with 95 additions and 132 deletions
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -242,12 +242,9 @@ For Draupnir to do its job, you need to [give it permissions](https://the-draupn
 We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
-Policy lists are maintained in Matrix rooms. Popular ones maintained in the public are:
+Policy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
- `#community-moderation-effort-bl:neko.dev`
+You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
 - `#huginn-muninn-active-threats:feline.support`
 You can tell Draupnir to subscribe to each of these by sending the following command to the Management Room: `!draupnir watch POLICY_LIST_ADDRESS_HERE` (e.g. `!draupnir watch #community-moderation-effort-bl:neko.dev`)
 #### Creating your own policy lists and rules
@@ -273,14 +270,14 @@ You can undo bans with the [unban command](https://the-draupnir-project.github.i
 ### Enabling built-in protections
-You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuitProtection` ("If X amount of users join in Y time, set the room to invite-only").
+You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuit` ("If X amount of users join in Y time, set the room to invite-only").
 To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room.
-To [**see the configuration options for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#displaying-the-protection-settings), send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuitProtection`).
+To **see the configuration options for a given protection**, send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuit`).
-To [**set a specific option for a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/configuring-protections#changing-protection-settings), send a command like this: `!draupnir protections config set PROTECTION_NAME OPTION VALUE` (e.g. `!draupnir protections config set JoinWaveShortCircuitProtection timescaleMinutes 30`).
+To **set a specific option for a given protection**, send a command like this: `!draupnir config set PROTECTION_NAME.OPTION VALUE` (e.g. `!draupnir config set JoinWaveShortCircuit.timescaleMinutes 30`).
-To [**enable a given protection**](https://the-draupnir-project.github.io/draupnir-documentation/protections/block-invitations-on-server-protection#enabling-the-protection), send a command like this: `!draupnir protections enable PROTECTION_NAME` (e.g. `!draupnir protections enable JoinWaveShortCircuitProtection`).
+To **enable a given protection**, send a command like this: `!draupnir enable PROTECTION_NAME` (e.g. `!draupnir enable JoinWaveShortCircuit`).
-To **disable a given protection**, send a command like this: `!draupnir protections disable PROTECTION_NAME` (e.g. `!draupnir protections disable JoinWaveShortCircuitProtection`).
+To **disable a given protection**, send a command like this: `!draupnir disable PROTECTION_NAME` (e.g. `!draupnir disable JoinWaveShortCircuit`).
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@@ -35,7 +35,7 @@ matrix_hookshot_enabled: true
 # Uncomment to enable end-to-bridge encryption.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
-# matrix_hookshot_encryption_enabled: true
+# matrix_hookshot_experimental_encryption_enabled: true
 # Uncomment and paste the contents of GitHub app private key to enable GitHub bridge.
 # Alternatively, you can use one of the other methods explained below on the "Manage GitHub Private Key with aux role" section.
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -669,17 +669,6 @@ matrix_authentication_service_config_passwords_schemes:
  - version: 2
    algorithm: argon2id
 matrix_authentication_service_config_clients_auto: |-
  {{
    ([
      {
        'client_id': matrix_synapse_experimental_features_msc3861_client_id,
        'client_auth_method': matrix_synapse_experimental_features_msc3861_client_auth_method,
        'client_secret': matrix_synapse_experimental_features_msc3861_client_secret,
      }
    ] if matrix_synapse_experimental_features_msc3861_enabled else [])
  }}
 matrix_authentication_service_config_email_transport: "{{ 'smtp' if exim_relay_enabled else 'blackhole' }}"
 matrix_authentication_service_config_email_hostname: "{{ exim_relay_identifier if exim_relay_enabled else '' }}"
 matrix_authentication_service_config_email_port: "{{ 8025 if exim_relay_enabled else 587 }}"
@@ -4911,7 +4900,7 @@ matrix_synapse_systemd_required_services_list_auto: |
    +
    (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
    +
-    (['matrix-authentication-service.service'] if (matrix_authentication_service_enabled and matrix_synapse_experimental_features_msc3861_enabled) else [])
+    (['matrix-authentication-service.service'] if (matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_matrix_authentication_service_endpoint == matrix_authentication_service_http_base_container_url) else [])
  }}
 matrix_synapse_systemd_wanted_services_list_auto: |
@@ -4945,11 +4934,9 @@ matrix_synapse_report_stats_endpoint: "{{ (('http://' + matrix_synapse_usage_exp
 matrix_synapse_experimental_features_msc3266_enabled: "{{ matrix_rtc_enabled }}"
-matrix_synapse_experimental_features_msc3861_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
+matrix_synapse_matrix_authentication_service_enabled: "{{ matrix_authentication_service_enabled }}"
-matrix_synapse_experimental_features_msc3861_issuer: "{{ matrix_authentication_service_http_base_container_url if matrix_authentication_service_enabled else '' }}"
+matrix_synapse_matrix_authentication_service_endpoint: "{{ matrix_authentication_service_http_base_container_url if matrix_authentication_service_enabled else '' }}"
-matrix_synapse_experimental_features_msc3861_client_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'syn.ngauth.cs', rounds=655555) | to_uuid }}"
+matrix_synapse_matrix_authentication_service_secret: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc3861_admin_token: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_authentication_service_account_management_url if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
@@ -4961,7 +4948,7 @@ matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
 # Unless this is done, Synapse fails on startup with:
 # > Error in configuration at 'password_config.enabled':
 # > Password auth cannot be enabled when OAuth delegation is enabled
-matrix_synapse_password_config_enabled: "{{ not matrix_synapse_experimental_features_msc3861_enabled }}"
+matrix_synapse_password_config_enabled: "{{ not matrix_synapse_matrix_authentication_service_enabled }}"
 matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matrix_authentication_service_bin_path }}/register-user"
--- a/requirements.yml
+++ b/requirements.yml
@@ -22,7 +22,7 @@
  version: v4.98.1-r0-2-1
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-0
+  version: v11.6.4-1
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
  version: v10431-1
@@ -43,10 +43,10 @@
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v17.6-0
+  version: v17.5-5
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v17-8
+  version: v17-7
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v3.5.0-1
@@ -64,7 +64,7 @@
  version: v1.0.0-4
  name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: v1.1.0-0
+  version: v1.0.0-0
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
  version: v3.5.0-2
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.6.1"
+matrix_appservice_draupnir_for_all_version: "v2.6.0"
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.6.1"
+matrix_bot_draupnir_version: "v2.6.0"
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -30,7 +30,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.29
+matrix_bot_honoroit_version: v0.9.28
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_docker_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_docker_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 7.1.0
+matrix_hookshot_version: 7.0.0
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -181,9 +181,6 @@ matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hoo
 matrix_hookshot_generic_userIdPrefix: '_webhooks_'  # noqa var-naming
 matrix_hookshot_generic_allowJsTransformationFunctions: false  # noqa var-naming
 matrix_hookshot_generic_waitForComplete: false  # noqa var-naming
 matrix_hookshot_generic_sendExpiryNotice: false  # noqa var-naming
 matrix_hookshot_generic_requireExpiryTime: false  # noqa var-naming
 matrix_hookshot_generic_maxExpiryTime: "30d"  # noqa var-naming
 matrix_hookshot_feeds_enabled: true
--- a/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
@@ -80,9 +80,6 @@ generic:
  userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }}
  allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }}
  waitForComplete: {{ matrix_hookshot_generic_waitForComplete | to_json }}
  sendExpiryNotice: {{ matrix_hookshot_generic_sendExpiryNotice | to_json }}
  requireExpiryTime: {{ matrix_hookshot_generic_requireExpiryTime | to_json }}
  maxExpiryTime: {{ matrix_hookshot_generic_maxExpiryTime | to_json }}
 {% endif %}
 {% if matrix_hookshot_feeds_enabled %}
 feeds:
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.6.5
+matrix_mautrix_gmessages_version: v0.6.4
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.5.3
+matrix_mautrix_meta_instagram_version: v0.5.2
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.5.3
+matrix_mautrix_meta_messenger_version: v0.5.2
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.8.6
+matrix_mautrix_signal_version: v0.8.5
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2.3
+matrix_mautrix_slack_version: v0.2.2
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.5.0
+matrix_mautrix_twitter_version: v0.4.3
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.12.4
+matrix_mautrix_whatsapp_version: v0.12.3
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
--- a/roles/custom/matrix-client-cinny/defaults/main.yml
+++ b/roles/custom/matrix-client-cinny/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 # renovate: datasource=docker depName=ajbura/cinny
-matrix_client_cinny_version: v4.9.1
+matrix_client_cinny_version: v4.9.0
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}"
 matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-client-fluffychat/defaults/main.yml
+++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.1.0
+matrix_client_fluffychat_version: v2.0.0
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-client-schildichat/defaults/main.yml
+++ b/roles/custom/matrix-client-schildichat/defaults/main.yml
@@ -19,7 +19,7 @@ matrix_client_schildichat_container_image_self_build_version: "{{ 'lite' if matr
 matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 # renovate: datasource=docker depName=ghcr.io/etkecc/schildichat-web
-matrix_client_schildichat_version: 1.11.109-sc.0.test.0
+matrix_client_schildichat_version: 1.11.103-sc.0.test.0
 matrix_client_schildichat_docker_image: "{{ matrix_client_schildichat_docker_image_registry_prefix }}etkecc/schildichat-web:{{ matrix_client_schildichat_version }}"
 matrix_client_schildichat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_schildichat_container_image_self_build else matrix_client_schildichat_docker_image_registry_prefix_upstream }}"
 matrix_client_schildichat_docker_image_registry_prefix_upstream: "{{ matrix_client_schildichat_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-corporal/defaults/main.yml
+++ b/roles/custom/matrix-corporal/defaults/main.yml
@@ -16,7 +16,7 @@
 matrix_corporal_enabled: true
 # renovate: datasource=docker depName=ghcr.io/devture/matrix-corporal
-matrix_corporal_version: 3.1.5
+matrix_corporal_version: 3.1.4
 matrix_corporal_container_image_self_build: false
 matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_dendrite_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dendrit
 matrix_dendrite_docker_image_registry_prefix_upstream: "{{ matrix_dendrite_docker_image_registry_prefix_upstream_default }}"
 matrix_dendrite_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith
-matrix_dendrite_docker_image_tag: "v0.15.2"
+matrix_dendrite_docker_image_tag: "v0.15.1"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1216,13 +1216,6 @@ matrix_synapse_email_app_name: Matrix
 matrix_synapse_email_client_base_url: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_element }}"
 matrix_synapse_email_invite_client_location: "https://app.element.io"
 ################################################################################
 #
 # Next-generation auth for Matrix, based on OAuth 2.0/OIDC
 #
 ################################################################################
 # Controls whether to enable the "send typing, presence and receipts to appservices" experimental feature.
 #
 # See:
@@ -1244,50 +1237,29 @@ matrix_synapse_experimental_features_msc3202_device_masquerading_enabled: false
 # - https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html#running-with-synapse
 matrix_synapse_experimental_features_msc3202_transaction_extensions_enabled: false
-# Controls whether to enable the "Next-generation auth for Matrix, based on OAuth 2.0/OIDC" experimental feature.
+################################################################################
 #
 # Next-generation auth for Matrix, based on OAuth 2.0/OIDC
 #
 ################################################################################
 # Controls whether to enable "Matrix Authentication Service" integration ("Next-generation auth for Matrix, based on OAuth 2.0/OIDC").
 # See:
 # - https://github.com/element-hq/matrix-authentication-service
 # - https://matrix.org/blog/2023/09/better-auth/
 # - https://github.com/matrix-org/matrix-spec-proposals/pull/3861
-matrix_synapse_experimental_features_msc3861_enabled: false
+matrix_synapse_matrix_authentication_service_enabled: false
-# Specifies the issuer URL for the OAuth 2.0/OIDC authentication provider.
+# Specifies the base URL where the Matrix Authentication Service is running.
-#
+matrix_synapse_matrix_authentication_service_endpoint: ""
 # This can be set to a private (container) URL.
 #
 # Example: https://matrix.example.com/auth/
 matrix_synapse_experimental_features_msc3861_issuer: ''
-# Specifies the introspection endpoint URL for the OAuth 2.0/OIDC authentication provider.
+# Specifies the shared secret used to authenticate Matrix Authentication Service requests.
-#
+# Must be the same as `matrix.secret` in the Matrix Authentication Service configuration.
-# This can be set to a private (container) URL.
+# See https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#matrix
-#
+matrix_synapse_matrix_authentication_service_secret: ""
 # If this is left empty, `{issuer}/.well-known/openid-configuration` will be fetched and the `introspection_endpoint` will be extracted from there.
 # We define it explicitly, because this allows us to override it and use an internal (container network) URL instead of using the public one.
 # Avoiding public addresses is an optimization that decreases overhead due to public networking and SSL termination.
 #
 # Example: https://matrix.example.com/auth/oauth2/introspect
 matrix_synapse_experimental_features_msc3861_introspection_endpoint: "{{ matrix_synapse_experimental_features_msc3861_issuer + 'oauth2/introspect' }}"
 # A unique identifier for the client.
 #
 # It must be a valid ULID (https://github.com/ulid/spec),
 # and it happens that 0000000000000000000SYNAPSE is a valid ULID.
 matrix_synapse_experimental_features_msc3861_client_id: '0000000000000000000SYNAPSE'
 matrix_synapse_experimental_features_msc3861_client_auth_method: client_secret_basic
 matrix_synapse_experimental_features_msc3861_client_secret: ''
 # A token that can be used to make admin API calls.
 # Matches `matrix.secret` in the matrix-authentication-service config
 matrix_synapse_experimental_features_msc3861_admin_token: ''
 # URL to advertise to clients where users can self-manage their account.
 matrix_synapse_experimental_features_msc3861_account_management_url: ''
 # Controls whether to enable the "QR code login" experimental feature.
-# Enabling this requires that MSC3861 (see `matrix_synapse_experimental_features_msc3861_enabled`) is also enabled.
+# Enabling this requires that Matrix Authentication Service integration (see `matrix_synapse_matrix_authentication_service_enabled`) is also enabled.
 matrix_synapse_experimental_features_msc4108_enabled: false
 ################################################################################
--- a/roles/custom/matrix-synapse/tasks/main.yml
+++ b/roles/custom/matrix-synapse/tasks/main.yml
@@ -62,7 +62,7 @@
 - tags:
    - register-user
  block:
-    - when: matrix_synapse_enabled and not matrix_synapse_experimental_features_msc3861_enabled
+    - when: matrix_synapse_enabled and not matrix_synapse_matrix_authentication_service_enabled
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml"
 - tags:
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -39,23 +39,11 @@
    - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
    - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_issuer', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
+    - {'name': 'matrix_synapse_matrix_authentication_service_endpoint', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}
-    - {'name': 'matrix_synapse_experimental_features_msc3861_client_id', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
+    - {'name': 'matrix_synapse_matrix_authentication_service_secret', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}
    - {'name': 'matrix_synapse_experimental_features_msc3861_client_auth_method', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
    - {'name': 'matrix_synapse_experimental_features_msc3861_client_secret', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
    - {'name': 'matrix_synapse_experimental_features_msc3861_admin_token', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
    - {'name': 'matrix_synapse_experimental_features_msc3861_account_management_url', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
    - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}
 # If only MSC 4108 is enabled, Synapse fails with: "MSC4108 requires MSC3861 to be enabled"
 - name: Fail if Synapse experimental feature QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
  ansible.builtin.fail:
    msg: >-
      QR code login (MSC4108) requires Next-Gen Auth (MSC3861) to be enabled or Synapse will fail to start.
      Enable `matrix_synapse_experimental_features_msc3861_enabled` when using `matrix_synapse_experimental_features_msc4108_enabled`.
  when: "matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled"
 - name: Fail if asking for more than 1 instance of single-instance workers
  ansible.builtin.fail:
    msg: >-
@@ -121,6 +109,14 @@
    - {'old': 'matrix_s3_goofys_docker_image_name_prefix', 'new': 'matrix_s3_goofys_docker_image_registry_prefix'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix', 'new': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_enabled', 'new': 'matrix_synapse_matrix_authentication_service_enabled'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_issuer', 'new': '<superseded by matrix_synapse_matrix_authentication_service_endpoint>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_id', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_auth_method', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_secret', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_admin_token', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_account_management_url', 'new': '<removed>'}
 - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
  ansible.builtin.fail:
    msg: >-
@@ -163,8 +159,8 @@
 - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
-    msg: "When Synapse is delegating authentication to Matrix Authentication Service, it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_experimental_features_msc3861_enabled and vars[item] | bool
+  when: matrix_synapse_matrix_authentication_service_enabled and vars[item] | bool
  with_items:
    - matrix_synapse_ext_password_provider_rest_auth_enabled
    - matrix_synapse_ext_password_provider_shared_secret_auth_enabled
@@ -172,10 +168,30 @@
 - name: Fail if password config is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
-    msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_password_config_enabled
- name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
+- name: Fail if registration is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
-    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
+    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration (`matrix_synapse_enable_registration: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
-  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration
 - name: Fail if registration CAPTCHA is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration CAPTCHA (`matrix_synapse_enable_registration_captcha: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration_captcha
 - name: Fail if OpenID Connect is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable OpenID Connect (`matrix_synapse_oidc_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled
 - name: Fail if CAS config is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable CAS config (`matrix_synapse_cas_config_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_cas_config_enabled
 - name: Fail if QR code login (MSC4108) is enabled while Matrix Authentication Service is not
  ansible.builtin.fail:
    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Matrix Authentication Service integration (`matrix_synapse_matrix_authentication_service_enabled`) must also be enabled."
  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_matrix_authentication_service_enabled
--- a/roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2
@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: True
 #!/bin/bash
-{% if matrix_synapse_experimental_features_msc3861_enabled %}
+{% if matrix_synapse_matrix_authentication_service_enabled %}
 	echo "Registering users is handled by the Matrix Authentication Service, so you cannot use this script anymore."
 	echo "Consider using the {{ matrix_synapse_register_user_script_matrix_authentication_service_path }} script instead."
 	exit 2
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2971,6 +2971,14 @@ background_updates:
    #
    #default_batch_size: 50
 {% if matrix_synapse_matrix_authentication_service_enabled %}
 matrix_authentication_service:
  enabled: true
  endpoint: {{ matrix_synapse_matrix_authentication_service_endpoint | to_json }}
  secret: {{ matrix_synapse_matrix_authentication_service_secret | to_json }}
 {% endif %}
 experimental_features:
  {% if matrix_synapse_experimental_features_msc2409_to_device_messages_enabled %}
  msc2409_to_device_messages_enabled: true
@@ -2984,17 +2992,6 @@ experimental_features:
  {% if matrix_synapse_experimental_features_msc3266_enabled %}
  msc3266_enabled: true
  {% endif %}
  {% if matrix_synapse_experimental_features_msc3861_enabled %}
  msc3861:
    enabled: true
    issuer: {{ matrix_synapse_experimental_features_msc3861_issuer | to_json }}
    introspection_endpoint: {{ matrix_synapse_experimental_features_msc3861_introspection_endpoint | to_json }}
    client_id: {{ matrix_synapse_experimental_features_msc3861_client_id | to_json }}
    client_auth_method: {{ matrix_synapse_experimental_features_msc3861_client_auth_method | to_json }}
    client_secret: {{ matrix_synapse_experimental_features_msc3861_client_secret | to_json }}
    admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
    account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
  {% endif %}
  {% if matrix_synapse_experimental_features_msc4108_enabled %}
  msc4108_enabled: true
  {% endif %}