authentik: add public guest auto-login flow + dedicated outpost + traefik public middleware

Phase 1+2 of default-deny ingress plan. Adds the infrastructure for an `auth = "public"`
ingress tier that auto-binds anonymous requests to a `guest` Authentik user (no UI
prompt), so public sites are still recorded as authenticated by Authentik for audit
purposes — but as `guest`, not by leaking the standard catchall flow.

- guest user in `Public Guests` group (NOT `Allow Login Users`).
- `public-auto-login` flow: stage_binding policy sets `pending_user = guest`,
  `evaluate_on_plan = false` + `re_evaluate_policies = true` so flow_plan is
  populated when the policy mutates it; `authentication = none` lets anonymous
  requests enter.
- `Provider for Public` proxy provider (forward_domain, cookie_domain
  viktorbarzin.me) with `authentication_flow = public-auto-login`.
- Dedicated `public` outpost: only the public provider bound, deployed as
  `ak-outpost-public` Deployment+Service in the `authentik` namespace by
  Authentik's K8s controller.
- `public-auth.viktorbarzin.me` ingress exposes the public outpost's
  `/outpost.goauthentik.io/*` so OAuth callbacks land on it (the embedded
  outpost doesn't know about the public provider, so `authentik.viktorbarzin.me`
  callbacks would fail).
- `authentik-forward-auth-public` traefik middleware points at the public
  outpost service (not via the auth-proxy nginx fallback). The plan's
  `?app=public` dispatch idea was tested and rejected — the embedded outpost
  dispatches purely by Host header, so a dedicated outpost was the only way
  to isolate the public flow without conflicts.

No ingresses use the new middleware yet — Phase 3+4 (the ingress_factory
`auth` variable refactor + audit pass) wires it up. This commit is additive
and behaviour-neutral.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/traefik/modules/traefik/middleware.tf

@@ -26,7 +26,8 @@ resource "kubernetes_manifest" "middleware_rate_limit" {
   depends_on = [helm_release.traefik]
 }
 
-# Authentik forward auth middleware
+# Authentik forward auth middleware (default — login required).
+# Used by ingress_factory `auth = "required"`.
 resource "kubernetes_manifest" "middleware_authentik_forward_auth" {
   manifest = {
     apiVersion = "traefik.io/v1alpha1"
@@ -54,6 +55,46 @@ resource "kubernetes_manifest" "middleware_authentik_forward_auth" {
   depends_on = [helm_release.traefik]
 }
 
+# Authentik forward auth — public tier. Calls the dedicated public outpost
+# (`ak-outpost-public.authentik.svc`) where the `Public` proxy provider is the
+# only bound provider, so every request runs the `public-auto-login` flow and
+# auto-binds anonymous users to the `guest` user. Users with an existing
+# Authentik session keep their real identity in `X-authentik-username`.
+# Used by ingress_factory `auth = "public"`.
+#
+# This is intentionally a different upstream from the standard middleware
+# (which targets the embedded outpost via the auth-proxy nginx fallback). The
+# `?app=` query param is NOT a working dispatch knob in current Authentik —
+# the embedded outpost dispatches by Host header alone, and the catchall's
+# forward_domain mode already claims viktorbarzin.me, so the only way to
+# isolate the public flow is via a dedicated outpost.
+resource "kubernetes_manifest" "middleware_authentik_forward_auth_public" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "authentik-forward-auth-public"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      forwardAuth = {
+        address            = "http://ak-outpost-public.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader = true
+        authResponseHeaders = [
+          "X-authentik-username",
+          "X-authentik-uid",
+          "X-authentik-email",
+          "X-authentik-name",
+          "X-authentik-groups",
+          "Set-Cookie",
+        ]
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # IP allowlist for local-only access
 resource "kubernetes_manifest" "middleware_local_only" {
   manifest = {