diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml
index 30800a01..da4e71d0 100644
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@@ -43,6 +43,10 @@ docker_nginx_image: "nginx:1.13.5-alpine"
 docker_riot_image: "silviof/matrix-riot-docker:latest"
 docker_s3fs_image: "xueshanf/s3fs:latest"
 
+# To avoid Synapse's macaroon secret key from changing every time
+# a new config is built from scratch, you can specify one here.
+matrix_synapse_macaroon_secret_key: null
+
 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml
index 9c15d8c2..362dc047 100644
--- a/roles/matrix-server/tasks/setup_synapse.yml
+++ b/roles/matrix-server/tasks/setup_synapse.yml
@@ -76,6 +76,15 @@
     - {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'}
     - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'}
 
+- name: Augment Matrix config (configure Macaroon secret)
+  lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
+  args:
+    regexp: "{{ item.regexp }}"
+    line: '{{ item.line }}'
+  with_items:
+    - {"regexp": "^macaroon_secret_key:", "line": 'macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"'}
+  when: "matrix_synapse_macaroon_secret_key is not none"
+
 - name: Augment Matrix config (specify URL previews blacklist)
   lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
   args: