Fix RBAC groups handling and refactor Keycloak role

- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
  * Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
  * Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.

roles/web-app-keycloak/tasks/main.yml

@@ -1,12 +1,18 @@
 ---
+- name: "Load meta"
+  include_tasks: 01_meta.yml
+  when: not KEYCLOAK_LOAD_DEPENDENCIES | bool
+
+
 - name: "Load cleanup routine for '{{ application_id }}'"
-  include_tasks: 01_cleanup.yml
+  include_tasks: 02_cleanup.yml
 
 - name: "Load init routine for '{{ application_id }}'"
-  include_tasks: 02_initialize.yml
+  include_tasks: 03_init.yml
 
 - name: "Load the depdendencies required by '{{ application_id }}'"
-  include_tasks: 03_load_dependencies.yml
+  include_tasks: 04_dependencies.yml
+  when: KEYCLOAK_LOAD_DEPENDENCIES | bool
 
 - name: "Wait until '{{ KEYCLOAK_CONTAINER }}' container is healthy"
   community.docker.docker_container_info:
@@ -50,9 +56,9 @@
               | list | first | default({}) ).attributes | default({}) )
           | combine({'frontchannel.logout.url': KEYCLOAK_FRONTCHANNEL_LOGOUT_URL}, recursive=True)
         }}
-  include_tasks: 03_update.yml
+  include_tasks: _update.yml
 
-- include_tasks: 04_rbac_client_scope.yml
+- include_tasks: 05_rbac_client_scope.yml
 
-- include_tasks: 05_ldap.yml
+- include_tasks: 06_ldap.yml
   when: KEYCLOAK_LDAP_ENABLED | bool