feat(services): refine split-horizon OIDC routing and harden nextcloud patch

- authentik: address the rewrite service by compose service name instead
  of a network alias on the public FQDN, which shadowed extra_hosts pins
  and broke OIDC discovery for c-ares-based (Node) resolvers
- homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC
  discovery stays in-network while the issuer matches the browser-facing URL
- opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the
  SSO path (deep-links untouched, /login?bypass=1 break-glass); restart
  ingress via container restart so envsubst re-renders nginx.conf
- nextcloud: make the UserConfig sed workaround fail loud on upstream
  drift instead of silently skipping (nextcloud/server#59629)
- gitignore: exclude the local .ansible/ collection cache

roles/opnform/README.md

@@ -167,10 +167,16 @@ calls `/api/auth/{slug}/redirect` (no domain check) and forwards the
 browser to the IdP authorize URL.
 
 ```yaml
-opnform_oidc_sso_entrypoint: true  # default false
-opnform_oidc_sso_path: "/sso"      # link users to https://<domain>/sso
+opnform_oidc_sso_entrypoint: true       # default false
+opnform_oidc_sso_path: "/sso"           # link users to https://<domain>/sso
+opnform_oidc_sso_redirect_root: true    # default false — root URL 302s to <sso_path>
 ```
 
+With `opnform_oidc_sso_redirect_root` enabled both the bare hostname
+and `/login` jump straight to the IdP. Public form deep-links
+(`/forms/<slug>`, `/admin/...`) are not touched. The email form remains
+reachable as a break-glass path via `/login?bypass=1`.
+
 ## Networking / split-horizon
 
 ```yaml