Hi Jassperff - What you're looking to do is pretty straightforward and I do almost exactly what you're looking to do.
It looks like you have all the basics going and you're fine with the controller being default gateway to VLAN30.
Whether you're wired or wireless, the policies accociated with your user roles will determine whether traffic is tunneled or bridged out to the internet. If you use the "permit" operator, it will go over the tunnel. "Route" or "route src-nat" will bridge traffic right out the RAP's E0 port. If it's just "route" then the route will send the traffic out with the host's ip address unmodified, "route src-nat" will NAT the host's address to the RAP's E0 address, which is most likey what you want. So, in your case, your policy would generally look like this:
ip access-list session sample-policy
user any udp 68 deny
any any svc-dchp permit
user network 10.10.0.0 255.255.0.0 any permit
user any any route src-nat
user-role sample-role
session-acl sample-policy
For your "Branch30" SSID, you seem to have that handled, just use "sample-role" for that VAP, and for your wired users as well. They will all need to be in VLAN 30.
Your backup scenarios are all viable and I do exactly what you're want to do as well, but it's a little more work. What I'm going to describe is what I designed, someone may do things a little differently, but it works for sure. First, to have a RAP takeover DHCP, what I did was create a "dummy" vlan on my controller, VLAN 999 with no VLAN interface associated with it. My backup SSID is associated with that VLAN and is in bridge mode. I create that VLAN so I can associate the RAP's DHCP pool to that VLAN, which is only in effect when I'm in backup mode. So for you, the relevant pieces are:
vlan 999
ap system-profile "RAP-PROFILE"
rap-dhcp-server-vlan 999
rap-dhcp-server-id 192.168.30.253
rap-dhcp-default-router 192.168.30.253
rap-dhcp-dns-server x.x.x.x
rap-dhcp-pool-start 192.168.30.151
rap-dhcp-pool-end 192.168.30.250
rap-dhcp-pool-netmask 255.255.255.0
rap-dhcp-lease 1
rap-local-network-access (this isn't part of DHCP, but good to turn on)
Now, create your "Backup30" SSID, make its VAP be bridged forwarding mode and its Remore AP Operation will be "backup", build the policies and roles, and everything in the policies will be "route src-nat" so it will get bridged.
For your wired ports, there's nothing really to change, except make sure their AP wired port profileh as "Remote-AP Backup" checked in the GUI.
If you note, I used 192.168.30.253 as the RAP DHCP server ID and the default-gateway. I do that because when I did lab testing, if I used .254, I sometimes saw that my client's arp entries were stale with the controller's MAC address, not the RAP's mac address. I got around that with that method.
Good luck!