docs(reference-ansible): add docs/ tree and document repo, playbooks, Makefile

Addresses the WKS PoC review (Notion 2026-05-26). All docs in English.
- README: purpose, docs table of contents, annotated repo tree
- docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy
- docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet
- docs/secrets.md: canonical Bao login (moved out of README) + demo defaults
- docs/operations.md: full Makefile reference
- docs/inventories.md: repo layout, topology, standard folder structure, walkthrough
- docs/testing.md: static checks, inventory resolution, smoke test / dry run
- remove ARCHITECTURE.md (architecture docs live externally)

Also includes the gymburgdorf inventory build-out (bookstack, homarr,
opnform, send) and scripts/bao-seed.sh. site.yml keeps a third traefik
play (traefik_servers minus the vagrant _dmz/_backend split) so the demo
inventories still configure their reverse proxy after the rebase onto main.

inventories/demo-gymburgdorf/host_vars/application/nextcloud.yml

@@ -4,6 +4,11 @@
 _nextcloud: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/nextcloud', url=vault_addr) }}"
 _authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
 
+# 33.0.2 hits the PHP 8.4 TypeError in UserConfig::getValueBool() that
+# user_ldap triggers on every authenticated request (nextcloud/server
+# #59629; fix in 33.0.3). Pin to the patched tag.
+nextcloud_image: "nextcloud:33.0.3-fpm"
+
 # First entry is the canonical public FQDN (used for OVERWRITEHOST and
 # OIDC redirects). Additional entries cover internal *.int.* names so
 # collabora's WOPI callbacks hit nextcloud on a name with a valid
@@ -57,10 +62,25 @@ nextcloud_s3_port: 443
 nextcloud_s3_ssl: true
 nextcloud_s3_usepath_style: true
 
+# OIDC server-to-server discovery / token / userinfo goes to
+# auth.int.gymb.souveredu.ch (LAN, RFC1918). Nextcloud's DnsPinMiddleware
+# would otherwise block that as "local server access".
+nextcloud_allow_local_remote_servers: true
+
 # Share the LDAP docker network with the authentik LDAP outpost
 nextcloud_extra_networks:
   - ldap
 
+# Pin the public authentik FQDN to the application host so server-to-server
+# OIDC traffic (token, userinfo, jwks — endpoints the discovery doc lists
+# under auth.gymb.* even when discovery itself is fetched via auth.int.*)
+# stays in the LAN. Without this, curl in the PHP container would hit the
+# public IP and time out in the DMZ (no hairpin-NAT). The DnsPin middleware
+# only honours /etc/hosts when allow_local_remote_servers is enabled, so
+# that flag (set above) is what makes this entry effective.
+nextcloud_extra_hosts:
+  - "auth.gymb.souveredu.ch:172.16.19.101"
+
 # LDAP backend (Authentik LDAP outpost)
 nextcloud_ldap_enabled: true
 nextcloud_ldap_config:
@@ -98,12 +118,13 @@ nextcloud_oidc_providers:
     display_name: "Login with Authentik"
     client_id: nextcloud
     client_secret: "{{ _authentik.nextcloud_oidc_secret }}"
-    # Stays on the public FQDN: user_oidc validates the iss claim against
-    # the discovery host, and authentik returns iss based on the request
-    # host — using auth.int.* would break the iss match with what the
-    # browser sees (auth.gymb.*). Routed via the DMZ for now; revisit if
-    # this becomes a bottleneck.
-    discovery_url: "https://auth.gymb.souveredu.ch/application/o/nextcloud/.well-known/openid-configuration"
+    # Discovery via the internal FQDN (LAN-only) — the DMZ has no
+    # hairpin-NAT for the public IP, so server-to-server calls to
+    # auth.gymb.* would time out. The traefik router for auth.int.*
+    # rewrites the Host header to auth.gymb.souveredu.ch before the
+    # request reaches authentik, so the iss claim authentik emits still
+    # matches the public hostname the browser sees during login.
+    discovery_url: "https://auth.int.gymb.souveredu.ch/application/o/nextcloud/.well-known/openid-configuration"
     scope: "openid email profile"
     unique_uid: true
     mapping: