fix(docker): fix vmalert rules scope + disable synapse OIDC

vmalert: was copying prometheus.yml into /etc/alerts/ causing parse
failure. Now only copies alerts.yml (the actual rules file).

synapse: mana-auth (Better Auth) has no OIDC discovery endpoint,
so disable OIDC and enable password auth until OIDC is implemented.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker/matrix/config/homeserver.yaml

@@ -74,10 +74,10 @@ url_preview_ip_range_blacklist:
 enable_registration: false
 enable_registration_without_verification: false
 
-# Password config (disabled - all users authenticate via OIDC/SSO)
+# Password config (enabled - OIDC not yet available from mana-auth)
 password_config:
-  enabled: false
-  localdb_enabled: false
+  enabled: true
+  localdb_enabled: true
   pepper: "${SYNAPSE_PASSWORD_PEPPER:-change-me-pepper}"
 
 # Session lifetime (must be >= refresh_token_lifetime)
@@ -196,24 +196,13 @@ run_background_tasks_on: synapse
 # OIDC / SSO Configuration (Mana Core Auth)
 # ============================================
 
-# Enable SSO via Mana Core Auth OIDC Provider
-oidc_providers:
-  - idp_id: manacore
-    idp_name: "Mana Core"
-    idp_brand: "org.matrix.custom"
-    discover: true
-    issuer: "https://auth.mana.how"
-    client_id: "matrix-synapse"
-    client_secret: "6dc67d2dbea5c19409d21cbaec5ba77265b0296796d4ebb015d70209c68f3fd5"
-    scopes: ["openid", "profile", "email"]
-    user_mapping_provider:
-      config:
-        subject_claim: "sub"
-        localpart_template: "{{ user.email.split('@')[0] }}"
-        display_name_template: "{{ user.name }}"
-        email_template: "{{ user.email }}"
-    allow_existing_users: true
-    enable_registration: true
+# OIDC disabled: mana-auth (Better Auth) does not expose OIDC discovery endpoints
+# TODO: add OIDC provider support to mana-auth, then re-enable this
+# oidc_providers:
+#   - idp_id: manacore
+#     issuer: "https://auth.mana.how"
+#     client_id: "matrix-synapse"
+#     ...
 
 # SSO UI Settings
 sso: