feat(sso): implement Authentik SSO stack with automated setup and OIDC integrations

[mvmax-dev]

Description

This PR delivers the complete Authentik SSO Stack implementation for Bounty #504 ($300 USDT). It provides a production-grade identity management solution with complete automated provisioning, safe credential loading, dynamic Traefik ForwardAuth middlewares, and seamless OIDC integrations across all requested applications.

🛠️ What has been implemented:

1. Production SSO Stack Configuration (stacks/sso/docker-compose.yml):

   • Upgraded to Authentik 2024.8.3 as required.
   • Wired with secure and reliable PostgreSQL 16.4-alpine & Redis 7.4.0-alpine backends with robust health checks.
   • Auto-registers Traefik entrypoints for internal embedded outposts.

2. Idempotent Authentik Provisioning Engine (scripts/authentik-setup.sh):

   • Automates OAuth2/OIDC Provider & Application provisioning for Grafana, Gitea, Nextcloud, Outline, Open WebUI, and Portainer.
   • Fully supports --dry-run preview execution.
   • Safely updates credentials inside root and stack-specific .env files (preventing plain-text console exposures).
   • Automatically initializes user groups: homelab-admins, homelab-users, and media-users.

3. Nextcloud OIDC Auto-configuration (scripts/nextcloud-oidc-setup.sh):

   • Auto-installs Nextcloud's sociallogin app via occ cli.
   • Automatically registers the custom OIDC config pointing to Authentik.

4. Grafana OIDC Migration (config/grafana/grafana.ini):

   • Clean, standardized grafana.ini mounting that reads OIDC parameters from $__env{...} environment variables.

5. Integrated OIDC Env Params:

   • Standardized OIDC/OAuth parameters in Gitea, Open WebUI, and Portainer configuration.

Closes #504