feat: domain list refactor + demo-gymburgdorf fixes

- Refactor: collapse `*_domain` + `*_extra_domains` into a single
  `*_domains` list across authentik, collabora, garage and nextcloud
  roles. First entry is the canonical FQDN (used for OVERWRITEHOST,
  BASE_URL, notify_push setup and garage root_domain).
- Authentik blueprint: guard the OAuth sources block so an empty
  `authentik_login_sources` no longer renders an invalid YAML key.
- Nextcloud: introduce `nextcloud_collabora_public_domain` and set
  Collabora's `public_wopi_url` separately from the server-to-server
  `wopi_url` so browsers can reach Collabora via the public name while
  Nextcloud still talks to it on the internal one.
- Nextcloud: URL-encode the postgres user/password in DATABASE_URL.

roles/collabora/templates/docker-compose.yml.j2

@@ -20,11 +20,14 @@ services:
     labels:
       - traefik.enable=true
       - traefik.docker.network={{ collabora_traefik_network }}
-      - traefik.http.routers.{{ collabora_service_name }}.rule=Host(`{{ collabora_domain }}`)
+      - traefik.http.routers.{{ collabora_service_name }}.rule=Host({% for d in collabora_domains %}`{{ d }}`{% if not loop.last %}, {% endif %}{% endfor %})
       - traefik.http.services.{{ collabora_service_name }}.loadbalancer.server.port={{ collabora_port }}
 {% if collabora_use_ssl %}
       - traefik.http.routers.{{ collabora_service_name }}.entrypoints=websecure
       - traefik.http.routers.{{ collabora_service_name }}.tls=true
+{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
+      - traefik.http.routers.{{ collabora_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
+{% endif %}
 {% else %}
       - traefik.http.routers.{{ collabora_service_name }}.entrypoints=web
 {% endif %}