feat(sso): wire Keycloak SSO end-to-end across all apps

New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
  that gate vhosts via nginx auth_request against Keycloak's wbd realm.

Native OIDC wired into:
- grafana       (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub    (oauthenticator.GenericOAuthenticator)
- node-red      (passport-openidconnect; in-memory state store + users()
                 resolver because adminAuth doesn't expose req.session)
- jenkins       (oic-auth plugin via JCasC; matrix-auth for authz; setup
                 wizard suppressed; custom image with plugins.txt)

Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
  don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
  re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
  upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
  root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
  SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
  so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
  so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).

Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
  users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
  ["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.

Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
  READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
  hardcoded-audience mapper and post-logout redirect URIs that are
  non-obvious gotchas.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/node-red/config/settings.js

@@ -0,0 +1,110 @@
+// Node-RED config — Keycloak OIDC editor auth.
+// Only the editor (/red, /flow) is gated; runtime HTTP-in / dashboard routes
+// stay open by default. Lock those down separately with httpNodeAuth.
+
+// Admins listed here get permissions "*". Everyone else (any authenticated
+// Keycloak user) gets ["read"] — they can view flows but cannot deploy.
+const NODERED_ADMINS = (process.env.NODERED_ADMIN_USERS || "")
+    .split(",")
+    .map(s => s.trim().toLowerCase())
+    .filter(Boolean);
+
+function permissionsFor(username) {
+    return NODERED_ADMINS.includes((username || "").toLowerCase()) ? "*" : ["read"];
+}
+
+// In-memory state store for the OIDC handshake. Node-RED's adminAuth gives us
+// req.session, but for safety (and because we don't actually need anything
+// beyond CSRF on the state param), we keep state in a process-local Map keyed
+// by a random handle (sent as the `state` query param).
+const _crypto = require("crypto");
+const _stateStore = new Map();
+const _STATE_TTL_MS = 10 * 60 * 1000;
+setInterval(function() {
+    const now = Date.now();
+    for (const [k, v] of _stateStore) {
+        if (v.expires < now) _stateStore.delete(k);
+    }
+}, 60 * 1000).unref();
+
+module.exports = {
+    uiPort: process.env.PORT || 1880,
+
+    adminAuth: {
+        type: "strategy",
+        strategy: {
+            name: "openidconnect",
+            label: "Sign in with Keycloak",
+            icon: "fa-sign-in",
+            strategy: require("passport-openidconnect").Strategy,
+            options: {
+                issuer:           "https://auth.wbd-rd.nl/realms/wbd",
+                authorizationURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/auth",
+                tokenURL:         "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/token",
+                userInfoURL:      "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/userinfo",
+                clientID:     process.env.NODERED_OAUTH_CLIENT_ID || "node-red",
+                clientSecret: process.env.NODERED_OAUTH_CLIENT_SECRET,
+                callbackURL:  "https://flow.wbd-rd.nl/auth/strategy/callback/",
+                scope:        ["openid", "email", "profile"],
+                proxy: true,
+                store: {
+                    store: function(req, ctx, appState, meta, cb) {
+                        const handle = _crypto.randomBytes(18).toString("hex");
+                        _stateStore.set(handle, {
+                            ctx: ctx || {},
+                            appState: appState,
+                            expires: Date.now() + _STATE_TTL_MS,
+                        });
+                        cb(null, handle);
+                    },
+                    verify: function(req, handle, cb) {
+                        const entry = _stateStore.get(handle);
+                        if (!entry) return cb(null, false, { message: "Unknown auth state" });
+                        _stateStore.delete(handle);
+                        if (entry.expires < Date.now()) {
+                            return cb(null, false, { message: "Expired auth state" });
+                        }
+                        cb(null, entry.ctx, entry.appState);
+                    },
+                },
+                // Standard 3-arg verify; pass the username forward so users(username) can build the user.
+                verify: function(issuer, profile, done) {
+                    const json = (profile && profile._json) || {};
+                    const username = (
+                        (profile && profile.username)
+                        || json.preferred_username
+                        || (profile && profile.emails && profile.emails[0] && profile.emails[0].value)
+                        || json.email
+                        || (profile && profile.id)
+                        || "unknown"
+                    ).toString().toLowerCase();
+                    done(null, { username: username });
+                },
+            },
+        },
+        // Resolve a username (as produced by verify above) into a full Node-RED user.
+        // Anyone the realm vouches for is allowed in; admins from NODERED_ADMIN_USERS get "*",
+        // everyone else gets read-only.
+        users: function(username) {
+            return Promise.resolve({
+                username: (username || "").toLowerCase(),
+                permissions: permissionsFor(username),
+            });
+        },
+    },
+
+    editorTheme: {
+        projects: { enabled: false },
+        page: { title: "WBD Node-RED" },
+    },
+
+    functionGlobalContext: {},
+
+    logging: {
+        console: {
+            level: "info",
+            metrics: false,
+            audit: false,
+        },
+    },
+};