feat(services): refine split-horizon OIDC routing and harden nextcloud patch

- authentik: address the rewrite service by compose service name instead
  of a network alias on the public FQDN, which shadowed extra_hosts pins
  and broke OIDC discovery for c-ares-based (Node) resolvers
- homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC
  discovery stays in-network while the issuer matches the browser-facing URL
- opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the
  SSO path (deep-links untouched, /login?bypass=1 break-glass); restart
  ingress via container restart so envsubst re-renders nginx.conf
- nextcloud: make the UserConfig sed workaround fail loud on upstream
  drift instead of silently skipping (nextcloud/server#59629)
- gitignore: exclude the local .ansible/ collection cache

roles/homarr/defaults/main.yml

@@ -19,6 +19,10 @@ homarr_domain: "homarr.local.test"
 # *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered
 # by the cert).
 homarr_extra_domains: []
+# Extra /etc/hosts entries inside the homarr container (format "host:ip").
+# Used to pin the IdP's public FQDN to a LAN IP so OIDC discovery stays
+# in-network while the issuer URL matches what browsers see.
+homarr_extra_hosts: []
 homarr_image: "ghcr.io/homarr-labs/homarr:latest"
 homarr_port: 7575
 homarr_use_docker: false