Add ONVIF authentication with UsernameToken support

[ssttevee]

AI DISCLOSURE: This feature was so straightforward that I wanted to try using codex and as far as I can tell, it did quite well. I did review the changes before opening this PR and nothing really bad stuck out to me (some global vars but seems valid tbh).

Summary

• stop applying api.username / api.password HTTP Basic auth to /onvif/* so ONVIF SOAP requests can reach the ONVIF handler
• add dedicated onvif.username / onvif.password config and validate WS-Security UsernameToken credentials inside the ONVIF service
• keep GetSystemDateAndTime unauthenticated and return an ONVIF-style ter:NotAuthorized SOAP fault when ONVIF auth fails

Reasoning

External ONVIF clients such as ODM, NVRs, and VMS platforms typically authenticate with WS-Security UsernameToken in the SOAP header, not HTTP Basic auth. When go2rtc applies API Basic auth to the shared HTTP listener, those clients fail before the SOAP request can be processed.

This change separates the two auth layers:

• Web API remains protected by api.username / api.password
• ONVIF can be protected independently with WS-Security credentials
• GetSystemDateAndTime stays open because ONVIF clients commonly use it first to calculate clock skew before generating a valid password digest

Sources

• ONVIF Core Specification: https://www.onvif.org/specs/2212/ONVIF-Core-Spec-v2212.pdf
• ONVIF Application Programmer's Guide: https://www.onvif.org/wp-content/uploads/2016/12/ONVIF_WG-APG-Application_Programmers_Guide-1.pdf
• OASIS WS-Security UsernameToken Profile 1.1.1: https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-UsernameTokenProfile-v1.1.1-os.html
• ONVIF Device Management WSDL: https://www.onvif.org/ver10/device/wsdl/devicemgmt.wsdl

Testing

• go test ./pkg/onvif ./internal/api ./internal/onvif

closes #2148