Add Vaultwarden password manager role with PostgreSQL and SSO support

- Implement complete Vaultwarden deployment using Podman Quadlet
- PostgreSQL backend via Unix socket with 777 permissions
- Caddy reverse proxy with WebSocket support for live sync
- Control-node admin token hashing using argon2 (OWASP preset)
- Idempotent token hashing with deterministic salt generation
- Full Authentik SSO integration following official guide
- SMTP email configuration support (optional)
- Invitation-only user registration by default
- Comprehensive documentation with setup and troubleshooting guides

Technical Details:
- Container: vaultwarden/server:latest from Docker Hub
- Database: PostgreSQL via /var/run/postgresql socket
- Port: 8080 (localhost only, proxied by Caddy)
- Domain: vault.jnss.me
- Admin token: Hashed on control node with argon2id
- SSO: OpenID Connect with offline_access scope support

Role includes automatic argon2 installation on control node if needed.

rick-infra.yml

@@ -9,6 +9,7 @@
 # - Nextcloud cloud storage
 # - Authentik SSO/authentication
 # - Gitea git hosting
+# - Vaultwarden password manager
 #
 # Usage:
 #   ansible-playbook playbooks/homelab.yml
@@ -30,8 +31,13 @@
     #     name: gitea
     #   tags: ['gitea', 'git', 'development']
 
-    - name: Deploy Nextcloud
+    # - name: Deploy Nextcloud
+    #   include_role:
+    #     name: nextcloud
+    #   tags: ['nextcloud', 'cloud', 'storage']
+
+    - name: Deploy Vaultwarden
       include_role:
-        name: nextcloud
-      tags: ['nextcloud', 'cloud', 'storage']
+        name: vaultwarden
+      tags: ['vaultwarden', 'vault', 'password-manager', 'security']