Transfer Server ACLs on room upgrade

Analyze user_ips before running deduplication

Reduce user_ips bloat during dedupe background update

Due to the table locks taken out by the naive upsert, the table
statistics may be out of date. During deduplication it is important that
the correct index is used as otherwise a full table scan may be
incorrectly used, which can end up thrashing the database badly.

The background update to remove duplicate rows naively deleted and
reinserted the duplicates. For large tables with a large number of
duplicates this causes a lot of bloat (with postgres), as the inserted
rows are appended to the table, since deleted rows will not be
overwritten until a VACUUM has happened.

This should hopefully also help ensure that the query in the last batch
uses the correct index, as inserting a large number of new rows without
analyzing will upset the query planner.

fix self-signed cert notice from generate-config

Lots of updates to the README/INSTALL.md.

Fixes #4601.

If TLS is disabled, it should not be an error if no cert is given.

Fixes #4554.

fixes #4620

Remove redundant entries from docker config

Infer no_tls from presence of TLS listeners

* no_tls is now redundant (#4613)
* we don't need a dummy cert any more (#4618)

Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.

we aren't going to use them anyway.

... otherwise we would fail with a mysterious KeyError or something later.

Log which file we're reading keys and certs from, and refactor the code a bit
in preparation for other work

It's nothing to do with refreshing the certificates. No idea why it was here.

add updating of backup versions

Rearrange the comments to try to clarify them, and expand on what some of it
means.

Use a sensible default 'bind_addresses' setting.

For the insecure port, only bind to localhost, and enable x_forwarded, since
apparently it's for use behind a load-balancer.

Factor out the reverse proxy info to a separate file, add some more info on
reverse-proxying the federation port.

New listener resource for the federation API "openid/userinfo" endpoint

* Allow "unavailable" presence status for /sync

Closes #3772, closes #3779

Signed-off-by: Valentin Anger <valentin.an.1999@gmail.com>

* Add changelog for PR 4592

Add more tables to the list of tables which need a background update to
complete before we can upsert into them, which fixes a race against the
background updates.

also add tests