fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list

inventories/demo-gymburgdorf/host_vars/application/authentik.yml

@@ -21,6 +21,15 @@ authentik_host_rewrite_domains:
 authentik_secret_key: "{{ _authentik.secret_key }}"
 authentik_postgres_password: "{{ _authentik.postgres_password }}"
 
+# Dedicated FQDN for cross-host ForwardAuth (storage Traefik calling
+# /outpost.goauthentik.io/auth/traefik). Routing through the public
+# auth.gymb.* FQDN doesn't work — Authentik sees Host: auth.gymb.* and
+# routes to ASGI which 404s the outpost path. This FQDN sits outside
+# authentik_domains so the same request falls through to the embedded
+# outpost handler (which matches the protected app via X-Forwarded-Host).
+authentik_outpost_domains:
+  - "outpost.auth.int.gymb.souveredu.ch"
+
 # LDAP outpost (provider for nextcloud)
 authentik_ldap_apps:
   - slug: ldap
@@ -47,8 +56,14 @@ authentik_proxy_apps:
     name: Drawio
     external_host: "https://draw.gymb.souveredu.ch"
     internal_host: "http://drawio:8080"
+    # drawio is embedded in Nextcloud as an iframe (nextcloud_enable_drawio).
+    # Every authenticated Nextcloud user must therefore pass the ForwardAuth
+    # gate, otherwise the editor loads a 403 inside the iframe. Allow both
+    # standard groups; tightening this back to admins-only would break the
+    # Nextcloud integration for regular users.
     allowed_groups:
       - admins
+      - users
     flows:
       authentication_slug: default-authentication-flow
       authorization_slug: default-provider-authorization-implicit-consent

inventories/demo-gymburgdorf/host_vars/application/drawio.yml

@@ -8,8 +8,9 @@ drawio_domain: "draw.gymb.souveredu.ch"
 drawio_extra_domains:
   - "draw.int.gymb.souveredu.ch"
 
-# Gate drawio behind the authentik embedded outpost (admins-only —
-# enforced by the policy-binding on the authentik proxy application).
+# Gate drawio behind the authentik embedded outpost. The allow-list is
+# managed on the authentik proxy application (admins + users) so the
+# Nextcloud drawio iframe works for every authenticated user.
 # ForwardAuth talks to the embedded outpost on the authentik server's
 # in-network address. Going via the public FQDN routes through a second
 # traefik hop that strips/rewrites X-Forwarded-Host, which breaks

inventories/demo-gymburgdorf/host_vars/application/homarr.yml

@@ -14,16 +14,32 @@ homarr_admin_email: "admin@gymb.souveredu.ch"
 homarr_admin_password: "{{ _homarr.admin_password }}"
 
 # OIDC against Authentik. credentials provider stays enabled as a
-# break-glass account.
+# break-glass account — reach it via /auth/login/credentials when
+# AUTH_OIDC_AUTO_LOGIN bypasses the normal /login page.
+#
+# Issuer must match the `iss` claim authentik emits, which is always the
+# public FQDN (authentik's host-rewrite middleware aligns the claim with
+# what browsers see). Homarr (oauth4webapi) does a strict 1:1 comparison
+# between the discovery response's issuer and this URL — using the
+# internal FQDN here fails with OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED.
+# The extra_hosts pin below keeps the actual discovery/token/userinfo
+# traffic on the LAN.
 homarr_auth_providers: "credentials,oidc"
-homarr_oidc_issuer: "https://auth.int.gymb.souveredu.ch/application/o/homarr/"
+homarr_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/homarr/"
 homarr_oidc_client_id: "homarr"
 homarr_oidc_client_secret: "{{ _homarr.oidc_client_secret }}"
 homarr_oidc_client_name: "Authentik"
 homarr_oidc_scopes: "openid profile email groups"
 homarr_oidc_groups_attribute: "groups"
-homarr_oidc_admin_group: "homarr-admins"
-homarr_oidc_auto_login: "false"
+homarr_oidc_auto_login: "true"
+
+# Pin the public authentik FQDN to the application host so OIDC
+# discovery (and downstream token/userinfo) calls from the homarr
+# container stay in the LAN. Without this, fetch() to auth.gymb.* would
+# hit the public IP and time out in the DMZ (no hairpin-NAT). Same
+# pattern as nextcloud_extra_hosts.
+homarr_extra_hosts:
+  - "auth.gymb.souveredu.ch:172.16.19.101"
 
 # Default board with shortcuts to the other gymburgdorf services. Width
 # values describe horizontal grid cells (1-10 desktop / 6 tablet / 2

inventories/demo-gymburgdorf/host_vars/application/opnform.yml

@@ -48,8 +48,10 @@ opnform_oidc_admin_group: "opnform-admins"
 # opnform_oidc_domain above), so no password fallback is needed.
 opnform_oidc_force_login: true
 
-# Serve a /sso page that jumps straight to Authentik without the email
-# login form. Link users to https://forms.gymb.souveredu.ch/sso.
+# `/` and `/login` are intercepted and jump straight to Authentik.
+# Public form deep-links (`/forms/<slug>`, `/admin/...`) keep working.
+# Break-glass: /login?bypass=1 reaches the email form when the IdP is
+# down.
 opnform_oidc_sso_entrypoint: true
 
 # Pin auth.gymb.* to the application host so server-to-server OIDC