feat(opnform)!: add admin and OIDC bootstrap, rename role to lowercase

Rename roles/OpnForm → roles/opnform so the role resolves as
  digitalboard.core.opnform (Ansible collection convention is
  lowercase). Update tests/test.yml reference accordingly.

  Add automated admin user creation via POST /api/register, gated on
  opnform_admin_email + opnform_admin_password. Idempotent through a
  prior login probe. Without these vars the manual setup page flow is
  preserved.

  Add automated OIDC IdentityConnection setup via the per-workspace
  /api/open/workspaces/{id}/oidc-connections endpoint, gated on
  opnform_oidc_enabled. Hard-coupled to the admin bootstrap (the API
  requires an authenticated admin token); validation block fails fast
  if OIDC is enabled without admin credentials. Supports both an
  explicit opnform_oidc_group_role_mappings list and a fallback
  opnform_oidc_admin_group convenience var.

  Convert opnform_oidc_scopes from space-separated string to YAML list
  to match OpnForm's API expectation. Rewrite README "First login" and
  "OIDC setup" sections to reflect that self-hosted OpnForm does not
  ship a pre-seeded admin and to document the new bootstrap paths.
  BREAKING CHANGE: opnform_oidc_scopes changed from space-separated
  string to YAML list. Inventories that override it must update from
  "openid profile email" to [openid, profile, email].

roles/OpnForm/defaults/main.yml

@@ -1,71 +0,0 @@
-#SPDX-License-Identifier: MIT-0
----
-# defaults file for opnform
-
-# Base directory configuration (inherited from base role or defined here)
-docker_compose_base_dir: /etc/docker/compose
-docker_volume_base_dir: /srv/data
-
-# opnform-specific configuration
-opnform_service_name: opnform
-opnform_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ opnform_service_name }}"
-opnform_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ opnform_service_name }}"
-opnform_storage_dir: "{{ opnform_docker_volume_dir }}/storage"
-opnform_db_data_dir: "{{ opnform_docker_volume_dir }}/db"
-opnform_redis_data_dir: "{{ opnform_docker_volume_dir }}/redis"
-
-# Service configuration
-opnform_domain: "forms.local.test"
-opnform_base_url: "https://forms.local.test"
-
-# Images
-opnform_api_image: "jhumanj/opnform-api:latest"
-opnform_client_image: "jhumanj/opnform-client:latest"
-opnform_redis_image: "redis:7"
-opnform_db_image: "postgres:16"
-opnform_ingress_image: "nginx:1"
-
-# REQUIRED SECRETS — generate with: openssl rand -base64 32
-# Always prefix opnform_app_key with "base64:"
-# Provide via OpenBao lookup, Ansible Vault or extra-vars.
-# Never commit real keys to version control.
-opnform_app_key: "base64:vsQw8EoC64nmhurLUUohXUlAeryaV6Y2Is64Tdvjlko="
-opnform_jwt_secret: "0b2e8ed326334a08ce3846bfcd6588f5a11be33999e96963cd4eaff1a3ae828b"
-opnform_front_api_secret: "8f52397785a110b657f2a6beab13362877bfac936ae9002bc236c54ed1011b2d"
-
-# Database credentials
-opnform_db_name: "opnform"
-opnform_db_user: "opnform"
-opnform_db_password: "xtNLUVc2ajcWictqWXWkLR"
-
-# PHP configuration
-opnform_php_memory_limit: "1G"
-opnform_php_max_execution_time: "600"
-opnform_php_upload_max_filesize: "64M"
-opnform_php_post_max_size: "64M"
-
-# Nginx ingress
-opnform_nginx_max_body_size: "64m"
-
-# Mail configuration (optional — defaults to log driver)
-opnform_mail_mailer: "log"
-opnform_mail_host: ""
-opnform_mail_port: ""
-opnform_mail_username: ""
-opnform_mail_password: ""
-opnform_mail_encryption: ""
-opnform_mail_from_address: "noreply@digitalboard.ch"
-opnform_mail_from_name: "OpnForm"
-
-# OIDC configuration (Stage 1: not auto-configured, set up via UI after deploy)
-opnform_oidc_enabled: false
-opnform_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard"
-opnform_oidc_client_id: "opnform-digitalboard"
-opnform_oidc_client_secret: ""
-opnform_oidc_client_name: "Digitalboard"
-opnform_oidc_scopes: "openid profile email groups"
-opnform_oidc_admin_group: "opnform-admins"
-
-# Traefik configuration
-opnform_traefik_network: "proxy"
-opnform_use_ssl: true