Route MAS traffic via nginx

When MAS is enabled, inject nginx location blocks that route:

- /_matrix/client/*/login|logout|refresh → MAS compat layer (port 8081)
- /_matrix/client/*/register → registration shim (port 8082)
- /_synapse/admin/v1/register → registration shim (port 8082)

These regex blocks are prepended before the catch-all worker locations so
they take priority.

In workers-shared-extra.yaml.j2, disable Synapse's built-in registration and
password auth when MAS is active, since MAS handles these concerns.

docker/complement/conf/workers-shared-extra.yaml.j2

@@ -10,17 +10,26 @@
 public_baseurl: http://127.0.0.1:8008/
 report_stats: False
 trusted_key_servers: []
-enable_registration: true
-enable_registration_without_verification: true
 bcrypt_rounds: 4
 url_preview_enabled: true
 url_preview_ip_range_blacklist: []
 
 ## Registration ##
 
+{% if mas_enabled %}
+# MAS handles registration; disable Synapse's built-in registration
+enable_registration: false
+enable_registration_without_verification: false
+password_config:
+  enabled: false
+{% else %}
+enable_registration: true
+enable_registration_without_verification: true
+
 # Needed by Complement to register admin users
 # DO NOT USE in a production configuration! This should be a random secret.
 registration_shared_secret: complement
+{% endif %}
 
 ## Federation ##