Add Authentik SSO integration for Jellyfin (#239)

## Summary
- Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding)
- Wire `jellyfin-client-secret` through ExternalSecret and Authentik worker deployment
- Install [jellyfin-plugin-sso](https://github.com/9p4/jellyfin-plugin-sso) v4.0.0.3 via Ansible, with OIDC config template
- Authentik `admins` group maps to Jellyfin administrator role
- Local login left enabled; SSO is additive

## Deployment and Testing
- [ ] Sync ArgoCD `authentik` app on branch — verify provider + application appear in Authentik admin
- [ ] `mise run provision-indri -- --tags jellyfin --check --diff` (dry run)
- [ ] `mise run provision-indri -- --tags jellyfin` (deploy plugin + config)
- [ ] Test SSO flow: `https://jellyfin.ops.eblu.me/sso/OID/start/authentik`
- [ ] Verify `eblume` account auto-links via `preferred_username` match
- [ ] Verify admins group → Jellyfin admin
- [ ] Reset ArgoCD app revision to main after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/239

ansible/playbooks/indri.yml

@@ -161,6 +161,23 @@
       no_log: true
       tags: [caddy]
 
+    # Jellyfin SSO client secret
+    - name: Fetch Jellyfin OIDC client secret
+      ansible.builtin.command:
+        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/jellyfin-client-secret"
+      delegate_to: localhost
+      register: _jellyfin_oidc_secret
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [jellyfin]
+
+    - name: Set Jellyfin OIDC client secret fact
+      ansible.builtin.set_fact:
+        jellyfin_sso_client_secret: "{{ _jellyfin_oidc_secret.stdout }}"
+      no_log: true
+      tags: [jellyfin]
+
     # Jellyfin API key for metrics collection
     - name: Fetch Jellyfin API key
       ansible.builtin.command: