matrix: migrate Synapse -> tuwunel (Rust homeserver, fresh start, federated)

Replace the cramped Synapse deployment with tuwunel v1.7.1: embedded RocksDB
drops the CNPG dependency (both init-containers, the db ESO, the Reloader
annotation all gone), env-var config, fsGroup-owned encrypted PVC, federation
on, tuwunel-served well-known delegation to :443. server_name unchanged
(matrix.viktorbarzin.me); fresh start (no Synapse->RocksDB migration path).
Registered @viktor admin then disabled registration (403).

Cleanup: removed the orphaned pg-matrix Vault static role and dropped the
matrix Postgres DB/role; updated service-catalog, upgrade-config, CLAUDE.md
PG-rotation list, and the Matrix OIDC->orphaned auth notes. Design+plan in
docs/plans/2026-06-08-matrix-synapse-to-tuwunel-*.

Already applied via scripts/tg (matrix tier-1 + targeted vault tier-0), so
[ci skip] to avoid CI reconciling an unrelated pre-existing vault OIDC
tune-TTL drift.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/vault/main.tf

@@ -660,7 +660,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     "pg-postiz", "pg-instagram-poster",
     "pg-recruiter-responder", "pg-tripit",
     "pg-nextcloud-todos",
-    "pg-matrix", "pg-technitium",
+    "pg-technitium",
   ]
 
   postgresql {
@@ -870,14 +870,6 @@ resource "vault_database_secret_backend_static_role" "pg_tripit" {
   rotation_period = 604800
 }
 
-resource "vault_database_secret_backend_static_role" "pg_matrix" {
-  backend         = vault_mount.database.path
-  db_name         = vault_database_secret_backend_connection.postgresql.name
-  name            = "pg-matrix"
-  username        = "matrix"
-  rotation_period = 86400
-}
-
 resource "vault_database_secret_backend_static_role" "pg_technitium" {
   backend         = vault_mount.database.path
   db_name         = vault_database_secret_backend_connection.postgresql.name