fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list

inventories/demo-gymburgdorf/host_vars/storage/garage.yml

@@ -15,12 +15,16 @@ garage_webui_enabled: true
 # Gate the WebUI behind authentik (admins-only, via policy-binding on the
 # authentik proxy app). Replaces the htpasswd Basic-Auth — AUTH_USER_PASS
 # is dropped from the compose env when this is true. The forwardauth URL
-# resolves to the application-host traefik (network alias
-# `auth.gymb.souveredu.ch` -> authentik-server-1 in the proxy network on
-# the application host), but THIS host (storage) is in a different LAN,
-# so traefik here reaches it via the public name through the DMZ proxy.
+# uses a dedicated outpost-only FQDN that's deliberately outside
+# authentik_domains so Authentik routes it to the embedded outpost (not
+# ASGI). The public auth.gymb.* FQDN would 404 here — Authentik routes
+# any Host matching an auth-domain to ASGI which doesn't serve the outpost
+# path. The outpost itself then matches the protected app via
+# X-Forwarded-Host (Traefik forwards it via trustForwardHeader=true).
+# The FQDN is pinned to the application host via traefik_extra_hosts so
+# the request stays in the LAN.
 garage_webui_authentik_forward_auth: true
-garage_webui_authentik_forward_auth_url: "https://auth.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
+garage_webui_authentik_forward_auth_url: "https://outpost.auth.int.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
 # Kept for completeness — only used when authentik ForwardAuth is off.
 garage_webui_username: "admin"
 garage_webui_password: "{{ _garage.webui_password | default('disabled') }}"

inventories/demo-gymburgdorf/host_vars/storage/traefik.yml

@@ -1,11 +1,18 @@
 ---
 # Local traefik needs to reach authentik for the ForwardAuth subrequest
 # the garage-webui router fires. The public IP is unreachable from this
-# subnet (no DMZ hairpin), so point auth.gymb.* directly at the
+# subnet (no DMZ hairpin), so pin both auth FQDNs directly at the
 # application host where authentik runs. Without this the forwardauth
 # middleware would time out and every garage-console request would 502.
+# - auth.gymb.* covers any future server-to-server traffic on the public
+#   FQDN.
+# - outpost.auth.int.gymb.* is the dedicated outpost endpoint actually
+#   used by the ForwardAuth middleware (see garage.yml). It exists only
+#   to skip Authentik's ASGI handler, which 404s the outpost path when
+#   Host is one of the configured authentik_domains.
 traefik_extra_hosts:
   - "auth.gymb.souveredu.ch:172.16.19.101"
+  - "outpost.auth.int.gymb.souveredu.ch:172.16.19.101"
 
 # Services hosted on `storage` that the DMZ reverseproxy should forward
 # public traffic to. See application/traefik.yml for the mechanism.