fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list

inventories/demo-gymburgdorf/host_vars/application/opnform.yml

@@ -48,8 +48,10 @@ opnform_oidc_admin_group: "opnform-admins"
 # opnform_oidc_domain above), so no password fallback is needed.
 opnform_oidc_force_login: true
 
-# Serve a /sso page that jumps straight to Authentik without the email
-# login form. Link users to https://forms.gymb.souveredu.ch/sso.
+# `/` and `/login` are intercepted and jump straight to Authentik.
+# Public form deep-links (`/forms/<slug>`, `/admin/...`) keep working.
+# Break-glass: /login?bypass=1 reaches the email form when the IdP is
+# down.
 opnform_oidc_sso_entrypoint: true
 
 # Pin auth.gymb.* to the application host so server-to-server OIDC