feat(nextcloud): integrate Talk & Whiteboard; refactor to NEXTCLOUD_* vars; full-stack setup

config(ports): add Nextcloud websocket port (4003); canonical domains (nextcloud/talk/whiteboard)

refactor: unify get_app_conf usage & Jinja spacing; migrate paths/handlers to new NEXTCLOUD_* vars

feat(plugins): split plugin routines; configure Whiteboard via occ (URL + JWT)

fix(oidc): use NEXTCLOUD_URL for logout; correct LDAP attribute mappings; add OIDC flavor switch

feat: Whiteboard container & reverse-proxy location; Talk STUN/WS ports; Redis URL for Whiteboard

chore: drop obsolete TODO; minor cleanups in oauth2-proxy, matrix, peertube, pgadmin, phpldapadmin, pixelfed, phpmyadmin

security(schema): Bluesky jwt_secret now base64_prefixed_32; add Nextcloud whiteboard_jwt_secret

db: normalize postgres image tag templating; central DB host checks spacing fixes

ops: add full-stack bootstrap (certs, proxy, volumes); internal nginx config reload handler update

refs: https://chatgpt.com/share/68b5f5b7-8d64-800f-b001-1241f818dc0e

roles/web-app-nextcloud/templates/env.j2

@@ -8,9 +8,9 @@ MYSQL_PASSWORD=                 "{{ database_password }}"
 MYSQL_HOST=                     "{{ database_host }}:{{ database_port }}"
       
 # PHP
-PHP_MEMORY_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.memory_limit')}}"
-PHP_UPLOAD_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.upload_limit')}}"
-PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption')}}"
+PHP_MEMORY_LIMIT=               "{{ applications | get_app_conf(application_id, 'performance.php.memory_limit') }}"
+PHP_UPLOAD_LIMIT=               "{{ applications | get_app_conf(application_id, 'performance.php.upload_limit') }}"
+PHP_OPCACHE_MEMORY_CONSUMPTION= "{{ applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption') }}"
       
 # Email Configuration
 SMTP_HOST=                      {{ SYSTEM_EMAIL.HOST }}
@@ -24,30 +24,38 @@ MAIL_FROM_ADDRESS=              "{{ users['no-reply'].username }}"
 MAIL_DOMAIN=                    "{{ SYSTEM_EMAIL.DOMAIN }}"
 
 # Initial Admin Data
-NEXTCLOUD_ADMIN_USER=           "{{applications | get_app_conf(application_id, 'users.administrator.username')}}"
-NEXTCLOUD_ADMIN_PASSWORD=       "{{applications | get_app_conf(application_id, 'credentials.administrator_password')}}"
+NEXTCLOUD_ADMIN_USER=           "{{ NEXTCLOUD_ADMINISTRATOR_USER }}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{ NEXTCLOUD_ADMINISTRATOR_PASSWORD }}"
 
 # Security
 
-NEXTCLOUD_TRUSTED_DOMAINS=      "{{ domains[application_id] | select | join(',') }}"
+NEXTCLOUD_TRUSTED_DOMAINS=      "{{ NEXTCLOUD_DOMAIN }}"
 # Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
 TRUSTED_PROXIES=                "{{ networks.internet.values() | select | join(',') }}"
-OVERWRITECLIURL=                "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
-OVERWRITEPROTOCOL=              "https"
+OVERWRITECLIURL=                "{{ NEXTCLOUD_URL }}"
+OVERWRITEPROTOCOL=              "{{ WEB_PROTOCOL }}"
 
 # Redis Configuration
 REDIS_HOST=                     redis
 REDIS_PORT=                     6379
 
-{% if nextcloud_talk_enabled %}
+{% if NEXTCLOUD_TALK_ENABLED %}
 # Talk Configuration
 # This code was just moved here during refactoring and isn't tested yet.
 # @todo move it to an own env file for encapsulation reasons
-NC_DOMAIN=cloud.yourdomain.tld
-TALK_HOST=signaling.yourdomain.tld
+NC_DOMAIN={{ NEXTCLOUD_DOMAIN }}
+TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }}
 TURN_SECRET=${TURN_SECRET}
 SIGNALING_SECRET=${SIGNALING_SECRET}
 TZ=Europe/Berlin
 TALK_PORT=3478
 INTERNAL_SECRET=${INTERNAL_SECRET}
+{% endif %}
+
+{% if NEXTCLOUD_WHITEBOARD_ENABLED %}
+# @todo move it to an own env file for encapsuling reasons
+NEXTCLOUD_URL=                  "{{ NEXTCLOUD_URL }}"
+JWT_SECRET_KEY=                 "{{ NEXTCLOUD_WHITEBOARD_JWT }}"
+STORAGE_STRATEGY=redis
+REDIS_URL=redis://redis:6379/0
 {% endif %}