This adds a new routing mechanism for sync workers that resolves access tokens
to usernames via Synapse's whoami endpoint, enabling true user-level sticky
routing regardless of which device or token is used.

Previously, sticky routing relied on parsing the username from native Synapse
tokens (`syt_<base64 username>_...`), which only works with native Synapse auth
and provides device-level stickiness at best. This new approach works with any
auth system (native Synapse, MAS, etc.) because Synapse handles token validation
internally.

Implementation uses nginx's auth_request module with an njs script because:
- The whoami lookup requires an async HTTP subrequest (ngx.fetch)
- js_set handlers must return synchronously and don't support async operations
- auth_request allows the async lookup to complete, then captures the result
  via response headers into nginx variables

The njs script:
- Extracts access tokens from Authorization header or query parameter
- Calls Synapse's whoami endpoint to resolve token -> username
- Caches results in a shared memory zone to minimize latency
- Returns the username via a `X-User-Identifier` header

The username is then used by nginx's upstream hash directive for consistent
worker selection. This leverages nginx's built-in health checking and failover.

Synapse Admin v0.11.1-etke53

The /_matrix/client/unstable/org.matrix.simplified_msc3575/sync endpoint
can be handled by generic workers, but Synapse's workers.md documentation
doesn't mention it. The code confirms it's worker-compatible:

- SlidingSyncRestServlet is registered via sync.register_servlets:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/client/sync.py#L1128-L1131

- sync.register_servlets is NOT in the worker exclusion list:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/__init__.py#L180-L194

- GenericWorkerStore includes SlidingSyncStore:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/app/generic_worker.py#L168

This adds the endpoint to both:
- matrix_synapse_workers_sync_worker_client_server_endpoints (for specialized sync workers with sticky routing)
- matrix_synapse_workers_generic_worker_endpoints (documenting generic worker capability)

- Upgrade from 1.0.1 to 4.0.0
- Add ircService.mediaProxy configuration for authenticated Matrix media
- Add Traefik integration for media proxy endpoint
- Generate signing key for authenticated media

Closes #3512

Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>

Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4880#issuecomment-3807433691

Ref:
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4882
- https://github.com/element-hq/synapse/pull/19204
- https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage

We default it to `true`, keeping up with upstream and the old behavior.

s3-storage-provider users may set `matrix_synapse_enable_local_media_storage` to `false`
to disable local file caching.
This likely comes at the expense of some performance.

For matrix-media-repo users, it likely doesn't matter what this is set to,
as for a matrix-media-repo setup, all media-related API endpoints are
captured and forwarded to matrix-media-repo (before reaching Synapse).

This adds the matrix_hookshot_connections variable for configuring
static webhook connections via the config file.

See: https://github.com/matrix-org/matrix-hookshot/pull/1102

All these `encodedCharacters_*` settings default to `true` in Traefik v3.6.7,
so we don't need to override their values.

Ref: https://doc.traefik.io/traefik/v3.6/migrate/v3/#v367

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4835

Provoked by https://github.com/element-hq/synapse/pull/19281
which landed in Synapse v1.145.0, but we pull in a few other routes
that I noticed to be missing.

Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4851#issuecomment-3732696383

* This push request is about handling Traefik ipallowlist to synapse-admin application.

It's my first push request. If I forgot something please let me know. :-)

* Changed position of variable and naming for better expandebility of traefik options

* Remove useless `noqa var-naming` comment and too many blank lines at the end of the file

* If redis ist enabled for matrix media repo it failes to connect to valkey due to inproper configuration.

* Updated solution for fixing MMR redis connection

* Clean up

* Update valkey_container_network condition

---------

Co-authored-by: AkDk7 <joerg@pannbacker.email>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>