Make FreedomBox an OpenID Connect Identity Provider

This is consolidation of plans discussed in #400 (closed) and !2697.

Implement an Identity Provider as defined in OpenID Connect (OIDC) for FreedomBox web service. This will allow applications such as Matrix Synapse and Nextcloud to use FreedomBox for authentication and authorization.

1. Applications can use FreedomBox's user accounts instead of having their own password database. Due to ubiquity of OAuth2/OpenID Connect, applications are more likely to have support for OpenID Connect over support for LDAP.
2. Applications can use FreedomBox for single sign-on. Currently, we have custom solution based on mod_auth_pubtkt. This solution is not natively supported by any applications leading with various limitations. Notably it does not work for client applications such as mobile apps and client apps. For these, we continue to use LDAP auth provider with Apache. OIDC based solution could solve a lot of issues include logout.
3. If all apps rely on OIDC instead of querying LDAP, we can drop the LDAP server in FreedomBox eventually. This will reduce unreliability and allow us to use systemd's JSON user records and systemd-homed's features like home directory encryption.

To implement:

1. Implement a OIDC Identity Provider using django-oauth-toolkit.
2. Create a component to easily register a FreedomBox app as a client application (and keep the registration updated with uninstall/re-run setup/restore operations).
3. Make a sample OIDC aware application use the identity provider for single-sign-on.
4. Make a sample OIDC unware application use the identity provider for single-sign-on using Apache's mod-auth-openidc.
5. Migrate various applications to using single-sign-on using OIDC or using Basic Authentication (and PAM).
   1. Matrix Synapse
   2. SOGo
   3. Nextcloud
   4. ejabberd
   5. ikiwiki
   6. radicale
   7. rssbridge
   8. ttrss (defunct)
   9. transmission
   10. gitweb

CC: @vexch