From 43d2107760791bf0f4b33fa353394ae9b083a241 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 12 Jun 2026 00:07:49 +0000
Subject: [PATCH] android-emulator: public Authentik-gated ingress for the
 noVNC screen
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Viktor wants the emulator screen reachable over the web: adds
android-emulator.viktorbarzin.me (Cloudflare-proxied) behind Authentik
forward-auth — same-origin WebSockets through forward-auth are proven by
the terminal/ttyd stack. The LAN .lan view stays, and adb:5555 remains
LAN-only since it is unauthenticated.
---
 stacks/android-emulator/main.tf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/stacks/android-emulator/main.tf b/stacks/android-emulator/main.tf
index 8617a480..1b70b471 100644
--- a/stacks/android-emulator/main.tf
+++ b/stacks/android-emulator/main.tf
@@ -232,3 +232,18 @@ module "ingress-internal" {
     "gethomepage.dev/enabled" = "false"
   }
 }
+
+# Remote (off-LAN) screen access — Authentik-gated at the edge; WebSockets
+# work through forward-auth same-origin (proven by stacks/terminal's ttyd).
+# adb (5555) deliberately stays LAN-only: it is unauthenticated and must
+# never be exposed publicly.
+module "ingress-public" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  auth            = "required"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.android-emulator.metadata[0].name
+  name            = "android-emulator-public"
+  host            = "android-emulator"
+  service_name    = kubernetes_service.novnc.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}