Refactor web health checker & domain expectations (filter-based)

- Move all domain→expected-status mapping to filter `web_health_expectations`.
- Require explicit app selection via non-empty `group_names`; only those apps are included.
- Add `www_enabled` flag (wired via `WWW_REDIRECT_ENABLED`) to generate/force www.* → 301.
- Support `redirect_maps` to include manual redirects (sources forced to 301), independent of app selection.
- Aliases always 301; canonicals use per-key override or `server.status_codes.default`, else [200,302,301].
- Remove legacy fallbacks (`server.status_codes.home` / `landingpage`).
- Wire filter output into systemd ExecStart script as JSON expectations.
- Normalize various templates to use `to_json` and minor spacing fixes.
- Update app configs (e.g., YOURLS default=301; Confluence default=302; Bluesky web=405; MediaWiki/Confluence canonical/aliases).
- Constructor now uses `WWW_REDIRECT_ENABLED` for domain generation.

Tests:
- Add comprehensive unit tests for filter: selection by group, keyed/default codes, aliases, www handling, redirect_maps, input sanitization.
- Add unit tests for the standalone checker script (JSON parsing, OK/mismatch counting, sanitization).

See conversation: https://chatgpt.com/share/68c2b93e-de58-800f-8c16-ea05755ba776

roles/web-app-nextcloud/vars/plugins/user_ldap.yml

@@ -42,7 +42,7 @@ plugin_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_base_users"
-    configvalue: "{{LDAP.DN.OU.USERS}}"
+    configvalue: "{{ LDAP.DN.OU.USERS }}"
 
   -
     appid: "user_ldap"
@@ -67,7 +67,7 @@ plugin_configuration:
   -
     appid: "user_ldap"
     configkey: "s01ldap_dn"
-    configvalue: "{{LDAP.DN.ADMINISTRATOR.DATA}}"
+    configvalue: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
   -
     appid: "user_ldap"
     configkey: "s01ldap_email_attr"