refactor(idp): make NetBird single source of truth for authorization

Remove duplicate authorization data from Zitadel IdP. NetBird now stores
all authorization data (account membership, invite status, roles) locally,
while Zitadel only stores identity information (email, name, credentials).

Changes:
- Add PendingInvite field to User struct to track invite status locally
- Simplify IdP Manager interface: remove metadata methods, add GetAllUsers
- Update cache warming to match IdP users against NetBird DB
- Remove addAccountIDToIDPAppMeta and all wt_* metadata writes
- Delete legacy IdP managers (Auth0, Azure, Keycloak, Okta, Google
  Workspace, JumpCloud, Authentik, PocketId) - only Zitadel supported

infrastructure_files/base.setup.env

@@ -2,29 +2,20 @@
 
 # Management API
 
-# Management API port
-NETBIRD_MGMT_API_PORT=${NETBIRD_MGMT_API_PORT:-33073}
-# Management API endpoint address, used by the Dashboard
-NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
-# Management Certificate file path. These are generated by the Dashboard container
-NETBIRD_LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
-NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
-# Management Certificate key file path.
-NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
+# Management API endpoint address, used by the Dashboard (Caddy handles TLS)
+NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN
 # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
-NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
 NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}
 
 # Signal
-NETBIRD_SIGNAL_PROTOCOL="http"
-NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
+NETBIRD_SIGNAL_PROTOCOL=${NETBIRD_HTTP_PROTOCOL:-https}
+NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-443}
 
-# Relay
-NETBIRD_RELAY_DOMAIN=${NETBIRD_RELAY_DOMAIN:-$NETBIRD_DOMAIN}
-NETBIRD_RELAY_PORT=${NETBIRD_RELAY_PORT:-33080}
-NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT}
+# Relay (internal port for Caddy reverse proxy)
+NETBIRD_RELAY_INTERNAL_PORT=${NETBIRD_RELAY_INTERNAL_PORT:-80}
+NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-${NETBIRD_RELAY_PROTO:-rels}://$NETBIRD_DOMAIN:${NETBIRD_RELAY_PORT:-443}}
 # Relay auth secret
 NETBIRD_RELAY_AUTH_SECRET=
 
@@ -141,3 +132,57 @@ export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
 export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY
+
+# Zitadel IdP Configuration
+ZITADEL_TAG=${ZITADEL_TAG:-"v4.7.6"}
+# Zitadel masterkey (32 bytes, auto-generated if not set)
+ZITADEL_MASTERKEY=
+# Zitadel admin credentials (auto-generated if not set)
+ZITADEL_ADMIN_USERNAME=
+ZITADEL_ADMIN_PASSWORD=
+# Zitadel external configuration
+ZITADEL_EXTERNALSECURE=${ZITADEL_EXTERNALSECURE:-true}
+ZITADEL_EXTERNALPORT=${ZITADEL_EXTERNALPORT:-443}
+ZITADEL_TLS_MODE=${ZITADEL_TLS_MODE:-external}
+# Zitadel PAT expiration (1 year from startup)
+ZITADEL_PAT_EXPIRATION=
+# Zitadel management endpoint
+ZITADEL_MANAGEMENT_ENDPOINT=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN/management/v1
+# HTTP protocol (http or https)
+NETBIRD_HTTP_PROTOCOL=${NETBIRD_HTTP_PROTOCOL:-https}
+# Caddy configuration
+NETBIRD_CADDY_PORT=${NETBIRD_CADDY_PORT:-80}
+CADDY_SECURE_DOMAIN=
+
+# Zitadel OIDC endpoints
+NETBIRD_AUTH_AUTHORITY=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN
+NETBIRD_AUTH_TOKEN_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/token
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/.well-known/openid-configuration
+NETBIRD_AUTH_JWT_CERTS=${NETBIRD_AUTH_AUTHORITY}/.well-known/jwks.json
+NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/authorize
+NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/device_authorization
+NETBIRD_AUTH_USER_ID_CLAIM=${NETBIRD_AUTH_USER_ID_CLAIM:-sub}
+NETBIRD_AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES:-"openid profile email offline_access"}
+
+# Zitadel exports
+export ZITADEL_TAG
+export ZITADEL_MASTERKEY
+export ZITADEL_ADMIN_USERNAME
+export ZITADEL_ADMIN_PASSWORD
+export ZITADEL_EXTERNALSECURE
+export ZITADEL_EXTERNALPORT
+export ZITADEL_TLS_MODE
+export ZITADEL_PAT_EXPIRATION
+export ZITADEL_MANAGEMENT_ENDPOINT
+export NETBIRD_HTTP_PROTOCOL
+export NETBIRD_CADDY_PORT
+export CADDY_SECURE_DOMAIN
+export NETBIRD_AUTH_AUTHORITY
+export NETBIRD_AUTH_TOKEN_ENDPOINT
+export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
+export NETBIRD_AUTH_JWT_CERTS
+export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT
+export NETBIRD_AUTH_USER_ID_CLAIM
+export NETBIRD_AUTH_SUPPORTED_SCOPES
+export NETBIRD_RELAY_INTERNAL_PORT