I did some digging, this is what I think is needed: The current package uses: Synapse v1.144.0 (which is compatible - MAS requires v1.136.0+) Cloudron OIDC for SSO (traditional OIDC provider approach) PostgreSQL as the database Standard Matrix authentication endpoints What MAS Integration Requires MAS is fundamentally different from traditional OIDC - it's not just another identity provider, but a complete replacement for Synapse's internal authentication system per MSC3861. It needs: 1. MAS Service Deployment MAS needs to run as a separate service (not just a config change) It requires its own separate PostgreSQL database It needs its own domain/subdomain (e.g., auth.matrix.example.com) Docker image: ghcr.io/element-hq/matrix-authentication-service:latest 2. MAS Configuration Requirements Encryption secrets and signing keys (RSA minimum) Connection to Synapse via shared secret Database configuration for its own PostgreSQL database HTTP listener configuration Email configuration for password recovery Policy configuration (WASM file) 3. Synapse Configuration Changes Replace traditional OIDC with matrix_authentication_service section: matrix_authentication_service: enabled: true endpoint: http://mas-internal:8080/ secret: "SharedSecretWithMAS" 4. Reverse Proxy Changes These Matrix endpoints must be routed to MAS (not Synapse): /_matrix/client/*/login /_matrix/client/*/logout /_matrix/client/*/refresh 5. User Migration (For Existing Deployments) MAS includes syn2mas tool to migrate: Existing password hashes (bcrypt → argon2id) Sessions and devices Access tokens Upstream IdP mappings

A customer of mine is having the same issue. For me it works, because I'm not using SSO/OIDC, but they are and are unable to hop on video calls, which is a shame. If what I'm reading is true, the package needs quite a bit of adjustment to make it work

@chetbaker I think you have basically two options: Use the Admin UI to select large/old files and delete them Use s3 as storage and implement lifecycle rules Using the Admin UI is probably the esiest and most granulate option. [image: 1764295505034-screenshot-2025-11-27-at-20.04.38-resized.png]

Hello @scooke Glad I could explain/resolve this issue for you.

@nichu42 Would you mind sharing the cronjob? What is it calling?

@robi I deleted that message, was spam .

@andreasdueren It's resolved ^^. We're typing at the same time

@tomnick this is the Cloudron forum . It's for the matrix synapse package on Cloudron .

@DidierMalenfant test with command line tools to see if there are any formatting issues that might be causing this.

@stefanwirtz said in New to Cloudron & Matrix/Element: the error message I got was command not found What is this error message from? (Your statement above this says curl worked fine?) .

I can recommend to disable e2ee for channels. This makes everything smoother and especially allows all clients to search for messages without downloading everything. If you trust the server (probably your own) with the synapse instance, e2ee doesn't bring much extra security wise.

@james I never got OIDC "fixed". I was able to log in again simply by resetting the password. I haven't tried adding new users since the migration because only my immediate family and myself use the app. Feel free to mark it as solved. Thank you.

If I understand correctly, https://github.com/element-hq/element-call has to be packaged as a separate app package. Maybe you can open an App request here and we can look into it .

Man that helps a lot. Thank you so much. I wonder if we want to update the docs to add rooms/spaces via matrixrooms.info because of this. Either way, thank you so very much.

https://git.cloudron.io/packages/synapse-app/-/merge_requests/23

@jdaviescoates I installed Element X the moment I heard about it. It logged in fine and ran both apps on my phone for a while. @BrutalBirdie I think that's the root of my issues now that you mention it. I migrated my Synapse to another Cloudron a while back, app only and not the CR users. Luckily, I just had to reset the password to get it working again, but things definitely aren't wired right in the backend. I have too many work related room that I don't want to lose, hence the procrastination of setting up a new Synapse.

@nichu42 OK thanks I have to read through the whole documentation then to try this out

@nebulon not sure. Maybe I accidentally removed it when I set up Prometheus

Negative. Please, disregard what have been said earlier: OpenID from Cloudron could be used as is. Happy to share my findings on setting up the service with @vladimir.d or whoever will be doing this configuration for everyone on Cloudron.