state(dbaas): update encrypted state

stacks/authentik/guest.tf

@@ -64,8 +64,7 @@ resource "authentik_group" "public_guests" {
 # don't propagate, since policy request.context is not the same dict as
 # flow_plan.context.
 resource "authentik_policy_expression" "set_guest_user" {
-  name              = "set-public-guest-user"
-  execution_logging = true
+  name = "set-public-guest-user"
   expression = trimspace(<<-EOT
     request.context["flow_plan"].context["pending_user"] = ak_user_by(username="guest")
     return True

stacks/echo/main.tf

@@ -101,8 +101,11 @@ resource "kubernetes_service" "echo" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # echo is a header-reflecting diagnostic — public so it's reachable for
+  # forward-auth smoke-testing. Anyone visiting echo.viktorbarzin.me sees
+  # exactly which X-authentik-* headers Traefik forwarded to backends.
+  auth            = "public"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.echo.metadata[0].name
   name            = "echo"

stacks/navidrome/main.tf

@@ -228,8 +228,11 @@ resource "kubernetes_service" "navidrome" {
   }
 }
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Subsonic API at /rest/* is consumed by mobile clients (DSub, Symfonium,
+  # play:sub) which can't follow Authentik forward-auth 302s. Navidrome's
+  # own user/password auth still gates everything.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.navidrome.metadata[0].name
   name            = "navidrome"

stacks/onlyoffice/main.tf

@@ -249,8 +249,14 @@ resource "kubernetes_service" "onlyoffice" {
   }
 }
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Iframe-loaded by Nextcloud with JWT-signed session tokens; OnlyOffice
+  # validates the JWT itself. Authentik forward-auth would 302 the iframe
+  # load if the browser doesn't already have an Authentik cookie, AND
+  # OnlyOffice's server-to-server callback URLs (Nextcloud → OnlyOffice
+  # for save events, etc.) run outside any browser session entirely.
+  # The JWT is the auth gate.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.onlyoffice.metadata[0].name
   name            = "onlyoffice"

stacks/paperless-ngx/main.tf

@@ -253,8 +253,11 @@ resource "kubernetes_service" "paperless-ngx" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Paperless has a mobile app (`Paperless`) that uses /api/* with token
+  # auth. The app can't follow Authentik 302s. Paperless's own login
+  # gates the web UI.
+  auth            = "none"
   namespace       = kubernetes_namespace.paperless-ngx.metadata[0].name
   name            = "paperless-ngx"
   service_name    = "paperless-ngx"

stacks/resume/main.tf

@@ -353,8 +353,11 @@ resource "kubernetes_service" "resume" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Public-facing resume page for HR/recruiters — they don't have Authentik
+  # accounts. `auth = "public"` auto-binds to guest, so the page renders
+  # invisibly while still being audited in Authentik's event log.
+  auth            = "public"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.resume.metadata[0].name
   name            = "resume"

stacks/tuya-bridge/main.tf

@@ -179,8 +179,11 @@ resource "kubernetes_service" "tuya-bridge" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Smart-home automation HTTP API — Home Assistant and other automations
+  # call this with SERVICE_API_KEY in headers. Programmatic clients can't
+  # follow Authentik 302s.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.tuya-bridge.metadata[0].name
   name            = "tuya-bridge"