feat(services): multi-domain routing, split-horizon and OIDC hardening

Bundle of cross-role changes for the gymb services deployment:

- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
  *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
  tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
  opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
  /etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
  allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
  is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
  corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
  bootstrap) and an optional direct-SSO ingress entrypoint.

Docs: READMEs and meta/argument_specs.yml updated for all new variables.

roles/bookstack/defaults/main.yml

@@ -16,6 +16,14 @@ bookstack_backup_dir: "{{ bookstack_docker_volume_dir }}/backup"
 
 # Service configuration
 bookstack_domain: "wiki.local.test"
+# Additional hostnames the bookstack router answers on (e.g. an internal
+# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered
+# by the cert).
+bookstack_extra_domains: []
+# Container-level /etc/hosts overrides — useful in split-horizon setups
+# where the BookStack container needs to reach an IdP's public FQDN
+# (used in the OIDC `iss` claim) over the LAN rather than via the DMZ.
+bookstack_extra_hosts: []
 bookstack_base_url: "https://{{ bookstack_domain }}"
 
 # Images — pin via inventory in production