- Refactor: collapse `*_domain` + `*_extra_domains` into a single
`*_domains` list across authentik, collabora, garage and nextcloud
roles. First entry is the canonical FQDN (used for OVERWRITEHOST,
BASE_URL, notify_push setup and garage root_domain).
- Authentik blueprint: guard the OAuth sources block so an empty
`authentik_login_sources` no longer renders an invalid YAML key.
- Nextcloud: introduce `nextcloud_collabora_public_domain` and set
Collabora's `public_wopi_url` separately from the server-to-server
`wopi_url` so browsers can reach Collabora via the public name while
Nextcloud still talks to it on the internal one.
- Nextcloud: URL-encode the postgres user/password in DATABASE_URL.
