* Better logging for errors on startup

* Fix "TypeError: '>' not supported" when starting without an existing
  certificate
* Fix a bug where an existing certificate would be reprovisoned every day

* implement `reload` by sending the HUP signal

According to the 0.99 release info* synapse now uses the HUP signal to reload certificates:

> Synapse will now reload TLS certificates from disk upon SIGHUP. (#4495, #4524)

So the matrix-synapse.service unit file should include a reload directive.

Signed-off-by: Дамјан Георгиевски <gdamjan@gmail.com>

Fix errors when using default bind_addresses with replication/metrics listeners

Co-Authored-By: richvdh <1389908+richvdh@users.noreply.github.com>

Fixes the "can't listen on 0.0.0.0" error. Also makes it more consistent with
what we do elsewhere.

I wanted to bring listen_tcp into line with listen_ssl in terms of returning a
list of ports, and wanted to check that was a safe thing to do - hence the
logging in `refresh_certificate`.

Also, pull the 'Synapse now listening' message up to homeserver.py, because it
was being duplicated everywhere else.

turns out it doesn't really support ipv6, so let's hack around that by only
listening on ipv4 by default.

Transfer Server ACLs on room upgrade

Analyze user_ips before running deduplication

Reduce user_ips bloat during dedupe background update

Due to the table locks taken out by the naive upsert, the table
statistics may be out of date. During deduplication it is important that
the correct index is used as otherwise a full table scan may be
incorrectly used, which can end up thrashing the database badly.

The background update to remove duplicate rows naively deleted and
reinserted the duplicates. For large tables with a large number of
duplicates this causes a lot of bloat (with postgres), as the inserted
rows are appended to the table, since deleted rows will not be
overwritten until a VACUUM has happened.

This should hopefully also help ensure that the query in the last batch
uses the correct index, as inserting a large number of new rows without
analyzing will upset the query planner.

fix self-signed cert notice from generate-config

Lots of updates to the README/INSTALL.md.

Fixes #4601.

If TLS is disabled, it should not be an error if no cert is given.

Fixes #4554.

fixes #4620

Remove redundant entries from docker config

Infer no_tls from presence of TLS listeners

* no_tls is now redundant (#4613)
* we don't need a dummy cert any more (#4618)

Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.

we aren't going to use them anyway.

... otherwise we would fail with a mysterious KeyError or something later.

Log which file we're reading keys and certs from, and refactor the code a bit
in preparation for other work

It's nothing to do with refreshing the certificates. No idea why it was here.

add updating of backup versions

Rearrange the comments to try to clarify them, and expand on what some of it
means.

Use a sensible default 'bind_addresses' setting.

For the insecure port, only bind to localhost, and enable x_forwarded, since
apparently it's for use behind a load-balancer.

Factor out the reverse proxy info to a separate file, add some more info on
reverse-proxying the federation port.