feat: domain list refactor + demo-gymburgdorf fixes

- Refactor: collapse `*_domain` + `*_extra_domains` into a single
  `*_domains` list across authentik, collabora, garage and nextcloud
  roles. First entry is the canonical FQDN (used for OVERWRITEHOST,
  BASE_URL, notify_push setup and garage root_domain).
- Authentik blueprint: guard the OAuth sources block so an empty
  `authentik_login_sources` no longer renders an invalid YAML key.
- Nextcloud: introduce `nextcloud_collabora_public_domain` and set
  Collabora's `public_wopi_url` separately from the server-to-server
  `wopi_url` so browsers can reach Collabora via the public name while
  Nextcloud still talks to it on the internal one.
- Nextcloud: URL-encode the postgres user/password in DATABASE_URL.

roles/nextcloud/defaults/main.yml

@@ -9,7 +9,12 @@ nextcloud_service_name: nextcloud
 nextcloud_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ nextcloud_service_name }}"
 nextcloud_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ nextcloud_service_name }}"
 
-nextcloud_domain: "nextcloud.local.test"
+# FQDNs the nextcloud router accepts. The first entry is the canonical
+# domain (used for OVERWRITEHOST and the notify_push setup); further
+# entries cover internal *.int.* names so collabora's WOPI callback
+# hits us on a name with a valid cert.
+nextcloud_domains:
+  - "nextcloud.local.test"
 nextcloud_image: "nextcloud:fpm"
 nextcloud_redis_image: "redis:latest"
 nextcloud_port: 80