matrix-synapse: route stream-backed client endpoints explicitly and add device_lists stream writer support

Some client API endpoints (e.g. keys/upload) are backed by Synapse stream writers and
should not rely on broad worker regexes or route-order fallthrough for correctness.

When explicit per-stream routing is missing, requests may be captured by generic, room, or client_reader workers, instead of:
- going to the configured stream writer
- or to `main` when that stream writer is not enabled

This refactors synapse-reverse-proxy-companion's routing so that web-facing stream-backed endpoint families
are handled explicitly and early, with deterministic writer-or-main fallback.

Add first-class support for the missing `device_lists` stream writer,
generalize the same routing model to `push_rules`,
and remove stale broad-route ownership for device-list-sensitive endpoints.

roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2

@@ -10,8 +10,54 @@
 {% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %}
 {% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %}
 {% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %}
+{% set stream_writer_push_rules_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'push_rules') | list %}
+{% set stream_writer_device_lists_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'device_lists') | list %}
 {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %}
 {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %}
+{% set stream_writer_client_server_routes = [
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream',
+		'workers': stream_writer_typing_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_typing_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream',
+		'workers': stream_writer_to_device_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_to_device_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream',
+		'workers': stream_writer_account_data_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_account_data_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream',
+		'workers': stream_writer_receipts_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_receipts_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream',
+		'workers': stream_writer_presence_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_presence_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream',
+		'workers': stream_writer_push_rules_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_push_rules_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream',
+		'workers': stream_writer_device_lists_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_device_lists_stream_workers_upstream',
+	},
+] %}
 
 {% macro render_worker_upstream(name, workers, load_balance) %}
 	upstream {{ name }} {
@@ -41,6 +87,23 @@
 	{% endfor %}
 {% endmacro %}
 
+{% macro render_locations_to_upstream_or_main(locations, workers, upstream_name) %}
+	{% for location in locations %}
+	location ~ {{ location }} {
+		{% if workers | length > 0 %}
+		proxy_pass http://{{ upstream_name }}$request_uri;
+		proxy_http_version 1.1;
+		proxy_set_header Connection "";
+		{% else %}
+		{# Use the embedded DNS resolver in Docker containers to discover the service #}
+		resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s;
+		set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}";
+		proxy_pass http://$backend;
+		{% endif %}
+	}
+	{% endfor %}
+{% endmacro %}
+
 {% macro render_locations_to_upstream_with_whoami_sync_worker_router(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
@@ -100,25 +163,11 @@ map $request_uri $room_name {
 	{{- render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }}
 	{% endif %}
 
-	{% if stream_writer_typing_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_to_device_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_account_data_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_receipts_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_presence_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, '') }}
+	{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+	{% if stream_writer_client_server_route.workers | length > 0 %}
+	{{- render_worker_upstream(stream_writer_client_server_route.upstream, stream_writer_client_server_route.workers, '') }}
 	{% endif %}
+	{% endfor %}
 
 	{% if media_repository_workers | length > 0 %}
 	{{- render_worker_upstream('media_repository_workers_upstream', media_repository_workers, 'least_conn;') }}
@@ -186,36 +235,16 @@ server {
 
 		{# Workers redirects BEGIN #}
 
+		{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+			# {{ stream_writer_client_server_route.doc_url }}
+			{{ render_locations_to_upstream_or_main(stream_writer_client_server_route.locations, stream_writer_client_server_route.workers, stream_writer_client_server_route.upstream) }}
+		{% endfor %}
+
 		{% if generic_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }}
 		{% endif %}
 
-		{% if stream_writer_typing_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_to_device_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_account_data_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_receipts_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_presence_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }}
-		{% endif %}
-
 		{% if room_workers | length > 0 %}
 			# room workers
 			# https://tcpipuk.github.io/synapse/deployment/workers.html