Set right Zulip role for admins

Currently, Stackspin admins do not get any special role in Zulip, but only have "member" permissions. They should be something like "organization admin" or "owner" probably. I'm not sure if we can do this through SSO, or SCIM, or have to use or more manual Zulip CLI action for that.

TODO:

• Run provisioning directly after relevant changes:
  • creating new user
  • changing role for user
  • deleting user
  • install new app; in this case also add app roles at least for all admin users
• Implement locking to prevent multiple concurrent provision runs.
• The dashboard starts before Nextcloud and Zulip are installed, so at that time the scim config secrets do not exist yet. We should restart the dashboard or possibly make it reload its scim config from the secrets once they do.
• Deal with external (per-app) SCIM ID of users properly. This is tricky because of existing users from before SCIM, and possibly ones that are created on-the-fly whe logging in because SCIM failed or was too late for some reason.
  • Set SCIM ID in Stackspin database when creating user via SCIM.
  • Deal with the case of unset SCIM ID at runtime. This is the same as what the migration would need to do, so we opt to only do this at runtime saving writing a migration.
  • [ ] Write migration to set SCIM ID for existing users. For Nextcloud I think we can read off the Kratos user ID from the SCIM user listing, but for Zulip that's not in the listing so we'll need to match users based on their email address :/.
• As it turns out, setting the user role via SCIM is a relatively new addition, so we'll need to upgrade Zulip first.
• We currently loop over all app_role entries. However, Stackspin admin users have implicit access so there might not always be app_role entries for them.
• Maybe use startIndex and count parameters on SCIM user listing in a loop to make sure we retrieve all users.