owntracks: explicit auth = "none" — Phase 5 audit completion

The Phase 4 audit pass missed this site because the previous agent scoped
out owntracks (it overrides the factory's middleware list via
extra_annotations to use its own basic-auth middleware). Adding the explicit
auth = "none" satisfies Phase 5's "every ingress has an explicit decision"
goal and makes the intent visible — mobile OwnTracks clients post location
data via HTTP basic-auth and can't follow Authentik forward-auth 302s.

Closes the loop on Phase 5: 122/122 active ingress_factory call sites now
carry an explicit auth = "..." decision (zero callers rely on the default).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/owntracks/main.tf

@@ -226,7 +226,12 @@ resource "kubernetes_service" "owntracks" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
+  source = "../../modules/kubernetes/ingress_factory"
+  # OwnTracks mobile clients post location data over HTTP basic-auth (see the
+  # `owntracks-basic-auth` middleware below). They can't follow forward-auth
+  # 302s, so Authentik is bypassed; the `extra_annotations` block below
+  # overrides the factory's middleware list anyway.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.owntracks.metadata[0].name
   name            = "owntracks"