Add Authentik blueprints for automated OAuth2/OIDC setup

Automate the manual Authentik configuration process using native YAML blueprints
that are applied on container startup.

Changes:
- Add kaboot-setup.yaml blueprint for local development
- Add kaboot-setup-production.yaml.example for production with configurable domains
- Update docker-compose.yml and docker-compose.prod.yml to mount blueprints
- Add AUTHENTIK_BOOTSTRAP_PASSWORD/TOKEN env vars for automated admin setup
- Update setup.sh to generate bootstrap credentials and display admin password
- Update Caddyfile.example with proper proxy headers for Authentik
- Add Caddyfile to .gitignore (user-specific config)
- Update docs with Quick Start sections for automated setup

The blueprints create:
- OAuth2/OIDC provider (public client, client_id: kaboot-spa)
- Kaboot application with redirect URIs
- kaboot-users group with application binding
- Enrollment flow with sign-up capability
- Password complexity policy
- Test user and service account (passwords set manually)

docker-compose.caddy.yml

@@ -1,15 +1,16 @@
 # Caddy Reverse Proxy for Kaboot Production
 # 
 # This compose file adds Caddy as a reverse proxy with automatic HTTPS.
-# Use with the main docker-compose.yml using the -f flag.
+# Use with docker-compose.prod.yml using the -f flag.
 #
 # Usage:
-#   docker compose -f docker-compose.yml -f docker-compose.caddy.yml up -d
+#   docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d
 #
 # Prerequisites:
-#   1. Create a Caddyfile in the project root (see docs/PRODUCTION.md)
+#   1. Copy Caddyfile.example to Caddyfile and update domains
 #   2. Build the frontend: npm run build
 #   3. Update your domain DNS to point to your server
+#   4. See docs/PRODUCTION.md for full instructions
 
 services:
   caddy: