diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml
index 22f32457e..6358cee34 100644
--- a/roles/custom/matrix-authentication-service/defaults/main.yml
+++ b/roles/custom/matrix-authentication-service/defaults/main.yml
@@ -314,6 +314,22 @@ matrix_authentication_service_config_secrets_keys: |-
 #                                                                                      #
 ########################################################################################
 
+# Controls the resources exposed by the `web` HTTP listener.
+matrix_authentication_service_config_http_listener_web_resources: "{{ matrix_authentication_service_config_http_listener_web_resources_default + matrix_authentication_service_config_http_listener_web_resources_auto + matrix_authentication_service_config_http_listener_web_resources_custom }}"
+matrix_authentication_service_config_http_listener_web_resources_default: |-
+  {{
+    [
+      {'name': 'discovery'},
+      {'name': 'human'},
+      {'name': 'oauth'},
+      {'name': 'compat'},
+      {'name': 'graphql'},
+      {'name': 'assets'},
+    ]
+  }}
+matrix_authentication_service_config_http_listener_web_resources_auto: []
+matrix_authentication_service_config_http_listener_web_resources_custom: []
+
 # Controls the `http.public_base` configuration setting.
 matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"
 
diff --git a/roles/custom/matrix-authentication-service/templates/config.yaml.j2 b/roles/custom/matrix-authentication-service/templates/config.yaml.j2
index 32065d221..c0794ed77 100644
--- a/roles/custom/matrix-authentication-service/templates/config.yaml.j2
+++ b/roles/custom/matrix-authentication-service/templates/config.yaml.j2
@@ -2,13 +2,7 @@
 http:
   listeners:
   - name: web
-    resources:
-    - name: discovery
-    - name: human
-    - name: oauth
-    - name: compat
-    - name: graphql
-    - name: assets
+    resources: {{ matrix_authentication_service_config_http_listener_web_resources | to_json }}
     binds:
     - address: '[::]:8080'
     proxy_protocol: false