docs(reference-ansible): add docs/ tree and document repo, playbooks, Makefile

Addresses the WKS PoC review (Notion 2026-05-26). All docs in English.
- README: purpose, docs table of contents, annotated repo tree
- docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy
- docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet
- docs/secrets.md: canonical Bao login (moved out of README) + demo defaults
- docs/operations.md: full Makefile reference
- docs/inventories.md: repo layout, topology, standard folder structure, walkthrough
- docs/testing.md: static checks, inventory resolution, smoke test / dry run
- remove ARCHITECTURE.md (architecture docs live externally)

Also includes the gymburgdorf inventory build-out (bookstack, homarr,
opnform, send) and scripts/bao-seed.sh. site.yml keeps a third traefik
play (traefik_servers minus the vagrant _dmz/_backend split) so the demo
inventories still configure their reverse proxy after the rebase onto main.

inventories/demo-gymburgdorf/host_vars/application/opnform.yml

@@ -0,0 +1,60 @@
+---
+# Bao secret <mount>/data/opnform expected to contain:
+#   app_key (must start with "base64:"), jwt_secret, front_api_secret,
+#   db_password, admin_password, oidc_client_secret
+_opnform: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/opnform', url=vault_addr) }}"
+_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
+
+opnform_domain: "forms.gymb.souveredu.ch"
+opnform_extra_domains:
+  - "forms.int.gymb.souveredu.ch"
+opnform_base_url: "https://forms.gymb.souveredu.ch"
+
+opnform_app_key: "{{ _opnform.app_key }}"
+opnform_jwt_secret: "{{ _opnform.jwt_secret }}"
+opnform_front_api_secret: "{{ _opnform.front_api_secret }}"
+opnform_db_password: "{{ _opnform.db_password }}"
+
+# Bootstrap admin via API on first run so the manual setup page is
+# skipped. The admin credentials are also required to seed the OIDC
+# IdentityConnection through OpnForm's API (only an authenticated admin
+# can create connections).
+opnform_admin_name: "OpnForm Admin"
+opnform_admin_email: "admin@gymb.souveredu.ch"
+opnform_admin_password: "{{ _opnform.admin_password }}"
+
+# OIDC against Authentik. Discovery via the internal FQDN keeps
+# server-to-server traffic in the LAN; Authentik's host-rewrite router
+# rewrites the Host header to auth.gymb.* before the request reaches
+# authentik so the iss claim still matches the public hostname browsers
+# see during login.
+opnform_oidc_enabled: true
+# Issuer must use the public auth.gymb.* FQDN: OpnForm does OIDC
+# discovery and then validates the token's `iss` claim against this
+# value. Authentik emits the public hostname in `iss` (its host-rewrite
+# middleware keeps the claim aligned with what browsers see), so an
+# internal-FQDN issuer here would fail iss validation. The extra_hosts
+# pin below keeps the actual discovery/token/userinfo traffic on the LAN.
+opnform_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/opnform/"
+opnform_oidc_client_id: "opnform"
+opnform_oidc_client_secret: "{{ _opnform.oidc_client_secret }}"
+opnform_oidc_client_name: "Authentik"
+opnform_oidc_slug: "authentik"
+opnform_oidc_domain: "gymb.souveredu.ch"
+opnform_oidc_admin_group: "opnform-admins"
+
+# Disable password login entirely — every user goes through Authentik.
+# All real users have @gymb.souveredu.ch addresses (matching
+# opnform_oidc_domain above), so no password fallback is needed.
+opnform_oidc_force_login: true
+
+# Serve a /sso page that jumps straight to Authentik without the email
+# login form. Link users to https://forms.gymb.souveredu.ch/sso.
+opnform_oidc_sso_entrypoint: true
+
+# Pin auth.gymb.* to the application host so server-to-server OIDC
+# calls (token, userinfo, jwks — endpoints discovery returns under the
+# public hostname even when discovery itself is fetched via auth.int.*)
+# stay in the LAN.
+opnform_extra_hosts:
+  - "auth.gymb.souveredu.ch:172.16.19.101"