fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list

inventories/demo-gymburgdorf/host_vars/application/drawio.yml

@@ -8,8 +8,9 @@ drawio_domain: "draw.gymb.souveredu.ch"
 drawio_extra_domains:
   - "draw.int.gymb.souveredu.ch"
 
-# Gate drawio behind the authentik embedded outpost (admins-only —
-# enforced by the policy-binding on the authentik proxy application).
+# Gate drawio behind the authentik embedded outpost. The allow-list is
+# managed on the authentik proxy application (admins + users) so the
+# Nextcloud drawio iframe works for every authenticated user.
 # ForwardAuth talks to the embedded outpost on the authentik server's
 # in-network address. Going via the public FQDN routes through a second
 # traefik hop that strips/rewrites X-Forwarded-Host, which breaks