feat(drawio,garage): optional Authentik ForwardAuth in front of UIs

Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to
both roles. When enabled:

* drawio: traefik attaches a ForwardAuth middleware pointing at the
  authentik embedded outpost; unauthenticated requests get redirected
  to log in and downstream sees X-Authentik-* identity headers.

* garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped
  from the container env so authentik is the only gate. Tasks now key
  the htpasswd hash workflow off `_garage_webui_htpasswd_active`
  (`webui_enabled AND NOT authentik_forward_auth`); when authentik
  fronts the UI we skip hashing entirely. htpasswd hash is also now
  cached on disk and re-verified via `htpasswd -vbB` so unchanged
  passwords stop showing as `changed=true` on every run.

Both knobs default to `false`, preserving existing htpasswd/plain behaviour.

roles/garage/defaults/main.yml

@@ -25,10 +25,20 @@ garage_webui_domain: "console.storage.local.test"
 garage_webui_enabled: true
 garage_webui_image: "khairul169/garage-webui:latest"
 garage_webui_port: 3909
-# WebUI basic auth credentials (plaintext, will be hashed automatically)
+# WebUI basic auth credentials (plaintext, will be hashed automatically).
+# Ignored when garage_webui_authentik_forward_auth is true — in that case
+# authentik handles authentication via the ForwardAuth middleware below.
 garage_webui_username: "admin"
 garage_webui_password: "admin"
 
+# Optional Authentik ForwardAuth in front of the WebUI. When true:
+#   - the AUTH_USER_PASS env-var is dropped from the container so htpasswd
+#     isn't enforced; authentik is the only gate.
+#   - traefik attaches a ForwardAuth middleware pointing at the URL below.
+# Leave false to keep classic htpasswd protection.
+garage_webui_authentik_forward_auth: false
+garage_webui_authentik_forward_auth_url: ""
+
 # Garage ports
 garage_s3_api_port: 3900
 garage_s3_web_port: 3902