Add retry logic for MAS user registration on database auth failure

When the Postgres role updates database passwords (e.g., due to a
change in the secret derivation method), the Matrix Authentication
Service container may still be running with old configuration that
references the previous password. This causes mas-cli to fail with
"password authentication failed" when the matrix-user-creator role
tries to register users.

Rather than adding config-change detection or eager restarts to the
MAS role, this adds targeted retry logic: if the initial registration
attempt fails with a database authentication error, restart the MAS
service (which picks up the new config with the updated password),
wait for it to start, and retry. The restart usually only triggers
once per run since subsequent user registrations succeed after the restart.

Related to c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_matrix_authentication_service.yml

@@ -4,9 +4,9 @@
 
 ---
 
-- name: Ensure Matrix Authentication Service user registered - {{ user.username | quote }}
-  ansible.builtin.command:
-    cmd: |-
+- name: Build Matrix Authentication Service user registration command - {{ user.username | quote }}
+  ansible.builtin.set_fact:
+    matrix_authentication_service_register_user_command: |-
       {{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service
       mas-cli manage register-user
       -p {{ user.initial_password | quote }}
@@ -18,6 +18,31 @@
         --no-admin
       {% endif %}
       {{ user.username | quote }}
+
+- name: Ensure Matrix Authentication Service user registered - {{ user.username | quote }}
+  ansible.builtin.command:
+    cmd: "{{ matrix_authentication_service_register_user_command }}"
   register: matrix_authentication_service_register_user_result
   changed_when: "matrix_authentication_service_register_user_result.rc == 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
-  failed_when: "matrix_authentication_service_register_user_result.rc != 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
+  failed_when: >-
+    matrix_authentication_service_register_user_result.rc != 0
+    and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr
+    and 'password authentication failed' not in matrix_authentication_service_register_user_result.stderr
+
+- when: "'password authentication failed' in matrix_authentication_service_register_user_result.stderr | default('')"
+  block:
+    - name: Restart Matrix Authentication Service due to database authentication failure (likely a password change)
+      ansible.builtin.service:
+        name: "matrix-authentication-service.service"
+        state: restarted
+
+    - name: Wait for Matrix Authentication Service to start after restart
+      ansible.builtin.pause:
+        seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
+
+    - name: Retry Matrix Authentication Service user registration - {{ user.username | quote }}
+      ansible.builtin.command:
+        cmd: "{{ matrix_authentication_service_register_user_command }}"
+      register: matrix_authentication_service_register_user_result
+      changed_when: "matrix_authentication_service_register_user_result.rc == 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
+      failed_when: "matrix_authentication_service_register_user_result.rc != 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"