feat(web-opt-rdr-domains): add optional logout proxy injection for redirect-only domains

This change introduces the variable 'web_opt_rdr_domains_logout_enabled' allowing redirect-only domains to include the logout-proxy configuration when required (e.g., BlueSky canonical domain deactivation edge cases).
It ensures the logout endpoint is still properly served even when the domain is normally redirected.

Conversation: https://chatgpt.com/share/6932f3a5-3890-800f-a100-a2d36762ffd4

roles/web-app-bluesky/tasks/01_core.yml

@@ -52,8 +52,9 @@
 - name: "Redirect deactivated BlueSky Services to {{ BLUESKY_API_DOMAIN }}"
   include_tasks: "utils/load_app.yml"
   vars:
-    load_app_id: web-opt-rdr-domains
-    redirect_domain_mappings: "{{ BLUESKY_REDIRECT_DOMAIN_MAPPINGS }}"
+    load_app_id:                        "web-opt-rdr-domains"
+    redirect_domain_mappings:           "{{ BLUESKY_REDIRECT_DOMAIN_MAPPINGS }}"
+    web_opt_rdr_domains_logout_enabled:: true
 
 - name: "Flush handlers for '{{ role_name }}'"
   meta: flush_handlers

roles/web-opt-rdr-domains/defaults/main.yml

@@ -1 +1,2 @@
-redirect_domain_mappings: []  # Format [{source: target:},...]
+redirect_domain_mappings:             []      # Format [{source: target:},...]
+web_opt_rdr_domains_logout_enabled::  false   # Activate headers for logout

roles/web-opt-rdr-domains/templates/redirect-domain.conf.j2

@@ -1,6 +1,17 @@
 server {
+
+
   server_name {{ domain }};
   {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %}
 
-  return 301 https://{{ target }}$request_uri;
+  {% if web_opt_rdr_domains_logout_enabled: | bool %}
+  {# 
+    Required for edge cases e.g. BlueSky where a canonical domain is deactivated,
+    and set as an alias but interpretated as an logout domain
+  #}
+  {% include 'roles/web-svc-logout/templates/logout-proxy.conf.j2' %}
+  {% endif %}
+  location / {
+    return 301 {{ WEB_PROTOCOL }}://{{ target }}$request_uri;
+  }
 }