feat(services): multi-domain routing, split-horizon and OIDC hardening

Bundle of cross-role changes for the gymb services deployment:

- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
  *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
  tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
  opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
  /etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
  allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
  is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
  corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
  bootstrap) and an optional direct-SSO ingress entrypoint.

Docs: READMEs and meta/argument_specs.yml updated for all new variables.

roles/opnform/meta/argument_specs.yml

@@ -38,6 +38,25 @@ argument_specs:
         type: str
         default: forms.local.test
         description: Hostname used in the traefik Host rule.
+      opnform_extra_domains:
+        type: list
+        elements: str
+        default: []
+        description:
+          - Additional hostnames the Traefik router answers on, OR-combined
+            with C(opnform_domain). Useful for an internal C(*.int.*) FQDN so
+            a DMZ reverseproxy can reach a backend hostname covered by the
+            cert.
+      opnform_extra_hosts:
+        type: list
+        elements: str
+        default: []
+        description:
+          - Container-level C(/etc/hosts) overrides for the API containers
+            (Compose C(extra_hosts) entries, C("host:ip")). Needed in
+            split-horizon setups where the OpnForm API must reach the IdP's
+            public FQDN (used in the OIDC discovery / C(iss) claim) over the
+            LAN rather than hairpinning through a DMZ with no NAT loopback.
       opnform_base_url:
         type: str
         default: https://forms.local.test
@@ -184,6 +203,15 @@ argument_specs:
         description:
           - Email domain that triggers OIDC for matching users. Required
             when C(opnform_oidc_enabled=true).
+      opnform_oidc_force_login:
+        type: bool
+        default: false
+        description:
+          - "When true, sets C(OIDC_FORCE_LOGIN=true) on the api container:
+            password-based login is disabled and every user must authenticate
+            via OIDC. Only takes effect when C(opnform_oidc_enabled=true).
+            Ensure all real users have addresses under C(opnform_oidc_domain)
+            before enabling — there is no password fallback."
       opnform_oidc_scopes:
         type: list
         elements: str
@@ -211,6 +239,23 @@ argument_specs:
             type: str
             required: true
             choices: [owner, admin, editor, member]
+      opnform_oidc_sso_entrypoint:
+        type: bool
+        default: false
+        description:
+          - When true (and C(opnform_oidc_enabled=true)) the nginx ingress
+            serves a small redirect page at C(opnform_oidc_sso_path) that
+            calls OpnForm's C(/api/auth/{slug}/redirect) endpoint and
+            forwards the browser to the returned IdP authorize URL. Lets
+            you link users straight to the IdP, skipping OpnForm's
+            email-based login form. OpnForm has no native option for this.
+      opnform_oidc_sso_path:
+        type: str
+        default: /sso
+        description:
+          - Path (on C(opnform_domain)) where the direct-SSO redirect page
+            is served when C(opnform_oidc_sso_entrypoint=true). Must start
+            with C(/) and not collide with OpnForm's own routes.
 
       opnform_traefik_network:
         type: str