Fix RBAC groups handling and refactor Keycloak role

- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
  * Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
  * Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.

group_vars/all/00_general.yml

@@ -90,4 +90,11 @@ _applications_nextcloud_oidc_flavor: >-
 
 # Systemctl 
 SYS_TIMER_SUFFIX:   ".{{ SOFTWARE_NAME | lower }}.timer"
-SYS_SERVICE_SUFFIX: ".{{ SOFTWARE_NAME | lower }}.service"
+SYS_SERVICE_SUFFIX: ".{{ SOFTWARE_NAME | lower }}.service"
+
+# Role-based access control
+# @See https://en.wikipedia.org/wiki/Role-based_access_control
+RBAC:
+  GROUP:
+    NAME:   "/roles"  # Name of the group which holds the RBAC roles
+    CLAIM:  "groups"  # Name of the claim containing the RBAC groups

group_vars/all/12_oidc.yml

@@ -39,6 +39,4 @@ defaults_oidc:
     USERNAME:             "preferred_username"
     GIVEN_NAME:           "givenName"
     FAMILY_NAME:          "surname"
-    EMAIL:                "email"
-  CLAIMS:
-    GROUPS:               "groups"
+    EMAIL:                "email"