Fix RBAC groups handling and refactor Keycloak role

- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
  * Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
  * Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.

roles/web-app-pgadmin/config/main.yml

@@ -5,14 +5,14 @@ oauth2_proxy:
   application:            "application"
   port:                   "80"
   allowed_groups:
-    - "/roles/web-app-pgadmin-administrator"
+    - "{{ [RBAC.GROUP.NAME, 'web-app-pgadmin-administrator'] | path_join }}"
 features:
   matomo:                 true
   css:                    true
-  desktop:        true
+  desktop:                true
   central_database:       true
   oauth2:                 true
-  logout:       true
+  logout:                 true
 server:
   csp:
     flags: