Every `occ config:app:set` / `ldap:set-config` / `notify_push:setup`
call previously fired on every play, marking changed even when the
stored value already matched. Now we read the current value first and
only invoke the setter when it differs:
* richdocuments (collabora): pre-read wopi_url, public_wopi_url,
disable_certificate_verification, wopi_allowlist into a fact map;
guard each `config:app:set` and tag `richdocuments:activate-config`
with `changed_when: false` since it's a discovery refresh.
* drawio: same pattern for DrawioUrl, DrawioTheme, DrawioOffline,
comparing as strings (occ stores booleans as "1"/"0").
* user_ldap: pre-read `ldap:show-config s01 --output=json`, parse JSON
defensively (occ logs interleave on stderr), and skip per-key
`ldap:set-config` calls when the stored value already equals the
desired one.
* notify_push: skip `notify_push:setup` when the stored base_endpoint
already matches the computed URL.
* plugins: `app:install`/`app:enable` were treating "already installed/
enabled" output as a change. Add the negative match to `changed_when`
so re-runs of a fully-provisioned site report ok rather than changed.
- Refactor: collapse `*_domain` + `*_extra_domains` into a single
`*_domains` list across authentik, collabora, garage and nextcloud
roles. First entry is the canonical FQDN (used for OVERWRITEHOST,
BASE_URL, notify_push setup and garage root_domain).
- Authentik blueprint: guard the OAuth sources block so an empty
`authentik_login_sources` no longer renders an invalid YAML key.
- Nextcloud: introduce `nextcloud_collabora_public_domain` and set
Collabora's `public_wopi_url` separately from the server-to-server
`wopi_url` so browsers can reach Collabora via the public name while
Nextcloud still talks to it on the internal one.
- Nextcloud: URL-encode the postgres user/password in DATABASE_URL.
