feat(services): refine split-horizon OIDC routing and harden nextcloud patch

- authentik: address the rewrite service by compose service name instead
  of a network alias on the public FQDN, which shadowed extra_hosts pins
  and broke OIDC discovery for c-ares-based (Node) resolvers
- homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC
  discovery stays in-network while the issuer matches the browser-facing URL
- opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the
  SSO path (deep-links untouched, /login?bypass=1 break-glass); restart
  ingress via container restart so envsubst re-renders nginx.conf
- nextcloud: make the UserConfig sed workaround fail loud on upstream
  drift instead of silently skipping (nextcloud/server#59629)
- gitignore: exclude the local .ansible/ collection cache

roles/opnform/meta/argument_specs.yml

@@ -256,6 +256,16 @@ argument_specs:
           - Path (on C(opnform_domain)) where the direct-SSO redirect page
             is served when C(opnform_oidc_sso_entrypoint=true). Must start
             with C(/) and not collide with OpnForm's own routes.
+      opnform_oidc_sso_redirect_root:
+        type: bool
+        default: false
+        description:
+          - When true, the nginx ingress 302-redirects the root URL
+            (exact-match on C(/)) to C(opnform_oidc_sso_path), so visiting
+            C(https://<domain>/) jumps straight to the IdP without
+            OpnForm's email login form. Public form deep-links
+            (C(/forms/<slug>), C(/login), C(/admin/...)) are untouched.
+            Requires C(opnform_oidc_sso_entrypoint=true).
 
       opnform_traefik_network:
         type: str