feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings

* `authentik_host_rewrite_domains`: extra hostnames that reach the
  authentik container but make it generate URLs (OIDC issuer, reset
  links) as if requested from the canonical `authentik_domains[0]`.
  Each entry gets its own traefik router and a URL-based loadbalancer
  service that disables passHostHeader and pins X-Forwarded-Host via
  middleware, so server-to-server calls on internal FQDNs keep traffic
  in the LAN while the iss claim stays aligned with the public host.
  Uses a network alias on the canonical FQDN so traefik (sharing the
  network) resolves the URL upstream to this very container.

* proxy-app blueprint:
  - `mode` (default `forward_single`) lets callers pick between proxy,
    forward_single and forward_domain providers in one template.
  - `allowed_groups`: when set, emit one PolicyBinding per group on
    the application; authentik OR-evaluates bindings, so users in any
    listed group pass and others are denied.

Existing inventories with an empty list see no behavioural change.

roles/authentik/defaults/main.yml

@@ -17,6 +17,15 @@ authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_
 # server-to-server traffic so backend calls don't hairpin via DMZ.
 authentik_domains:
   - "authentik.local.test"
+
+# Hostnames that should reach authentik but make it generate URLs (OIDC
+# issuer, password reset links, etc.) as if requested from the canonical
+# `authentik_domains[0]` instead. Used for split-horizon setups where an
+# internal FQDN (e.g. `auth.int.example.com`) keeps server-to-server
+# traffic in the LAN but the iss claim must still match the public
+# hostname that browsers see. Traefik handles each entry via a separate
+# router that rewrites the Host header before forwarding to authentik.
+authentik_host_rewrite_domains: []
 authentik_image: "ghcr.io/goauthentik/server:2026.2.2"
 authentik_port: 9000
 authentik_secret_key: "changeme-generate-a-random-string"