mautrix-gmessages: expose bridge HTTP API (for mautrix-manager and similar)

Add a generic mechanism for exposing bridges' HTTP API (the provisioning
API, etc.) publicly on the Matrix domain, so tools like mautrix-manager
(https://github.com/mautrix/manager) can drive bridge login.

- Introduce global matrix_bridges_exposure_* vars (on by default),
  exposing each supported bridge under `<matrix-fqn>/bridges/<bridge>`.
- mautrix-gmessages: make the provisioning shared secret configurable
  (auto-generated in group_vars) so the provisioning API is enabled,
  route the whole bridge HTTP port via Traefik, and populate
  appservice.public_address.

Requests are authenticated by the bridge itself (per-user Matrix access
token for the provisioning API, homeserver token for the appservice
endpoints), not by the reverse proxy.

This is the first bridge converted; the other mautrix bridges will follow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

roles/custom/matrix-base/defaults/main.yml

@@ -54,6 +54,15 @@ matrix_bridges_msc4190_enabled: "{{ matrix_authentication_service_enabled and ma
 # Global var for enabling bridge self-signing ( On supported bridges)
 matrix_bridges_self_sign_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 
+# Global vars for exposing bridges' HTTP API publicly on the Matrix domain.
+# This is used by tools like mautrix-manager (https://github.com/mautrix/manager) to drive bridge login.
+# Each supported bridge's HTTP endpoint is exposed under `<path_prefix>/<bridge>` (e.g. `/bridges/gmessages`).
+# Requests are authenticated by the bridge itself (e.g. per-user Matrix access token for the provisioning API,
+# or the homeserver token for the appservice endpoints), not by us.
+matrix_bridges_exposure_enabled: true
+matrix_bridges_exposure_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_bridges_exposure_path_prefix: /bridges
+
 # Global var to enable/disable relay mode across all bridges with relay mode support
 matrix_bridges_relay_enabled: false