fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN

Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list

inventories/demo-gymburgdorf/host_vars/storage/traefik.yml

@@ -1,11 +1,18 @@
 ---
 # Local traefik needs to reach authentik for the ForwardAuth subrequest
 # the garage-webui router fires. The public IP is unreachable from this
-# subnet (no DMZ hairpin), so point auth.gymb.* directly at the
+# subnet (no DMZ hairpin), so pin both auth FQDNs directly at the
 # application host where authentik runs. Without this the forwardauth
 # middleware would time out and every garage-console request would 502.
+# - auth.gymb.* covers any future server-to-server traffic on the public
+#   FQDN.
+# - outpost.auth.int.gymb.* is the dedicated outpost endpoint actually
+#   used by the ForwardAuth middleware (see garage.yml). It exists only
+#   to skip Authentik's ASGI handler, which 404s the outpost path when
+#   Host is one of the configured authentik_domains.
 traefik_extra_hosts:
   - "auth.gymb.souveredu.ch:172.16.19.101"
+  - "outpost.auth.int.gymb.souveredu.ch:172.16.19.101"
 
 # Services hosted on `storage` that the DMZ reverseproxy should forward
 # public traffic to. See application/traefik.yml for the mechanism.