make the docker image do something sane wrt certificates

[richvdh]

At the moment it just fails to start synapse due to the absence of the cert

[richvdh]

related: #4545

[richvdh]

some initial thoughts on this:

First of all, SYNAPSE_NO_TLS is an existing environment variable which disables TLS support in the image; if it's set, it's assumed that there's an external reverse-proxy and cert management is someone else's problem.

We could enable the ACME listener (on port 80) by default in the config in the docker image (unless SYNAPSE_NO_TLS is set), and set EXPOSE 80/tcp in the Dockerfile. So your options are:

• Set SYNAPSE_NO_TLS, and arrange your own reverse-proxy to port 8008 on the container, or
• Run with -p 80:80 -p 8448:8448 to forward the ACME and TLS connections.

If you're updating an existing setup, using an existing /data volume, you will already have a (self-signed) cert in /data. That will continue to work for now. You can then either:

• delete the cert and follow one of the new-installation options below.
• Disable TLS in the configuration and use an external reverse-proxy
• somehow orchestrate your own way of updating the certs.

[richvdh]

I decided not to enable ACME by default, because I had concerns over our own ACME fighting with an external renewal process.

Otherwise, this is essentially fixed by #4566.