feat(drawio,garage): optional Authentik ForwardAuth in front of UIs

Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to
both roles. When enabled:

* drawio: traefik attaches a ForwardAuth middleware pointing at the
  authentik embedded outpost; unauthenticated requests get redirected
  to log in and downstream sees X-Authentik-* identity headers.

* garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped
  from the container env so authentik is the only gate. Tasks now key
  the htpasswd hash workflow off `_garage_webui_htpasswd_active`
  (`webui_enabled AND NOT authentik_forward_auth`); when authentik
  fronts the UI we skip hashing entirely. htpasswd hash is also now
  cached on disk and re-verified via `htpasswd -vbB` so unchanged
  passwords stop showing as `changed=true` on every run.

Both knobs default to `false`, preserving existing htpasswd/plain behaviour.

roles/drawio/defaults/main.yml

@@ -17,4 +17,11 @@ drawio_extra_hosts: []
 
 # Traefik configuration
 drawio_traefik_network: "proxy"
-drawio_use_ssl: true
+drawio_use_ssl: true
+
+# Optional Authentik ForwardAuth (set to true and provide the URL to gate
+# drawio behind an authentik proxy provider). Expects the authentik
+# embedded outpost to expose the /outpost.goauthentik.io/auth/traefik
+# endpoint on the configured URL (typically the public auth.* FQDN).
+drawio_authentik_forward_auth: false
+drawio_authentik_forward_auth_url: ""