feat(services): multi-domain routing, split-horizon and OIDC hardening

Bundle of cross-role changes for the gymb services deployment:

- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
  *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
  tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
  opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
  /etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
  allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
  is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
  corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
  bootstrap) and an optional direct-SSO ingress entrypoint.

Docs: READMEs and meta/argument_specs.yml updated for all new variables.

roles/bookstack/tasks/main.yml

@@ -14,7 +14,13 @@
       - bookstack_admin_password | length > 0
       - (not bookstack_oidc_enabled) or (bookstack_oidc_client_id | length > 0)
       - (not bookstack_oidc_enabled) or (bookstack_oidc_client_secret | length > 0)
-      - (not bookstack_oidc_enabled) or (bookstack_entra_tenant_id | length > 0)
+      # Issuer URL must resolve to something concrete. The Entra default
+      # interpolates bookstack_entra_tenant_id; an unset tenant leaves
+      # "//v2.0" in the URL. Allow non-Entra IdPs (Authentik, Keycloak)
+      # that override bookstack_oidc_issuer directly.
+      - (not bookstack_oidc_enabled) or
+        (bookstack_oidc_issuer | length > 0 and
+         '//v2.0' not in bookstack_oidc_issuer)
     fail_msg: >-
       One or more required secrets are unset. Provide them via OpenBao
       lookup, Ansible Vault or --extra-vars. See README for the full list.