Refactor Nextcloud configuration to use OCC script approach and add email/OIDC support

Major architectural changes:
- Replace config file templating with unified OCC command script
- Remove custom_apps mount overlay that caused Caddy serving issues
- Implement script-based configuration for idempotency and clarity

Configuration improvements:
- Add email/SMTP support with master switch (nextcloud_email_enabled)
- Add OIDC/SSO integration with Authentik support
- Add apps installation (user_oidc, calendar, contacts)
- Enable group provisioning and quota management from OIDC
- Set nextcloud_oidc_unique_uid to false per Authentik docs

Files removed:
- nextcloud.config.php.j2 (replaced by OCC commands)
- redis.config.php.j2 (replaced by OCC commands)
- optimization.yml (merged into configure.yml)

Files added:
- configure-nextcloud.sh.j2 (single source of truth for config)
- configure.yml (deploys and runs configuration script)

Documentation:
- Add comprehensive OIDC setup guide with Authentik integration
- Document custom scope mapping and group provisioning
- Add email configuration examples for common providers
- Update vault variables documentation
- Explain two-phase deployment approach

Host configuration:
- Change admin user from 'admin' to 'joakim'
- Add admin email configuration

roles/nextcloud/defaults/main.yml

@@ -15,7 +15,6 @@ nextcloud_home: /opt/nextcloud
 nextcloud_html_dir: "{{ nextcloud_home }}/html"
 nextcloud_data_dir: "{{ nextcloud_home }}/data"
 nextcloud_config_dir: "{{ nextcloud_home }}/config"
-nextcloud_custom_apps_dir: "{{ nextcloud_home }}/custom_apps"
 
 # Container configuration (FPM variant)
 nextcloud_version: "stable-fpm"
@@ -52,6 +51,7 @@ nextcloud_domain: "cloud.jnss.me"
 
 # Admin user (auto-configured on first run)
 nextcloud_admin_user: "admin"
+nextcloud_admin_email: "admin@jnss.me"
 nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}"
 
 # Trusted domains (space-separated)
@@ -75,12 +75,79 @@ nextcloud_background_jobs_mode: "cron"  # Options: ajax, webcron, cron
 nextcloud_cron_interval: "5min"  # How often cron runs (systemd timer)
 
 # =================================================================
-# Maintenance Configuration
+# Nextcloud System Configuration
 # =================================================================
 
 nextcloud_maintenance_window_start: 4  # Start hour (UTC) for maintenance window
 nextcloud_default_phone_region: "NO"  # Default phone region code (ISO 3166-1 alpha-2)
 
+# =================================================================
+# Apps Configuration
+# =================================================================
+
+# Apps to install and enable
+nextcloud_apps_install:
+  - user_oidc
+  - calendar
+  - contacts
+
+# =================================================================
+# Email/SMTP Configuration (Optional)
+# =================================================================
+
+nextcloud_email_enabled: true  # Master switch - set to true to enable SMTP
+
+# SMTP Server Configuration
+nextcloud_smtp_mode: "smtp"  # smtp, sendmail, qmail
+nextcloud_smtp_host: "smtp.titan.email"  # e.g., smtp.gmail.com, smtp.fastmail.com
+nextcloud_smtp_port: 587  # 587 for TLS, 465 for SSL, 25 for plain
+nextcloud_smtp_secure: "tls"  # tls, ssl, or empty string for no encryption
+nextcloud_smtp_auth: true  # Enable SMTP authentication
+nextcloud_smtp_authtype: "PLAIN"  # LOGIN or PLAIN
+nextcloud_smtp_username: "hello@jnss.me"  # SMTP username
+nextcloud_smtp_password: "{{ vault_nextcloud_smtp_password | default('') }}"
+
+# Email Addressing
+nextcloud_mail_from_address: "hello"  # Local part only (before @)
+nextcloud_mail_domain: "jnss.me"  # Domain part (after @)
+
+# Admin User Email (set at line 55 in Core Configuration section)
+
+# =================================================================
+# OIDC/SSO Configuration (Optional)
+# =================================================================
+
+nextcloud_oidc_enabled: true  # Master switch - set to true to enable OIDC
+
+# Provider Configuration
+nextcloud_oidc_provider_id: "authentik"  # Provider identifier (slug)
+nextcloud_oidc_provider_name: "Authentik"  # Display name (shown on login button)
+nextcloud_oidc_client_id: "{{ vault_nextcloud_oidc_client_id | default('') }}"
+nextcloud_oidc_client_secret: "{{ vault_nextcloud_oidc_client_secret | default('') }}"
+nextcloud_oidc_discovery_url: "https://auth.jnss.me/application/o/nextcloud/.well-known/openid-configuration"  # Full discovery URL, e.g., https://auth.example.com/application/o/nextcloud/.well-known/openid-configuration
+
+# Scopes (based on Authentik integration guide)
+# The 'nextcloud' scope is a custom scope you must create in Authentik
+nextcloud_oidc_scope: "email profile nextcloud openid"
+
+# Provider Options
+nextcloud_oidc_unique_uid: false  # Hash provider+user ID to prevent account takeover (recommended: true)
+nextcloud_oidc_check_bearer: false  # Check bearer tokens for API/WebDAV calls
+nextcloud_oidc_send_id_token_hint: true  # Send ID token hint during logout
+
+# Attribute Mappings (based on Authentik integration guide)
+nextcloud_oidc_mapping_display_name: "name"  # Claim for display name
+nextcloud_oidc_mapping_email: "email"  # Claim for email
+nextcloud_oidc_mapping_quota: "quota"  # Claim for quota (from Authentik property mapping)
+nextcloud_oidc_mapping_uid: "preferred_username"  # Claim for user ID
+nextcloud_oidc_mapping_groups: "groups"  # Claim for groups (from Authentik property mapping)
+
+# Group Provisioning (based on Authentik integration guide)
+nextcloud_oidc_group_provisioning: true  # Auto-create groups from OIDC provider
+
+# Single Login Option
+nextcloud_oidc_single_login: true  # If true and only one provider, auto-redirect to SSO
+
 # =================================================================
 # Caddy Integration
 # =================================================================