android-emulator: public Authentik-gated ingress for the noVNC screen

Viktor wants the emulator screen reachable over the web: adds
android-emulator.viktorbarzin.me (Cloudflare-proxied) behind Authentik
forward-auth — same-origin WebSockets through forward-auth are proven by
the terminal/ttyd stack. The LAN .lan view stays, and adb:5555 remains
LAN-only since it is unauthenticated.

stacks/android-emulator/main.tf

@@ -232,3 +232,18 @@ module "ingress-internal" {
     "gethomepage.dev/enabled" = "false"
   }
 }
+
+# Remote (off-LAN) screen access — Authentik-gated at the edge; WebSockets
+# work through forward-auth same-origin (proven by stacks/terminal's ttyd).
+# adb (5555) deliberately stays LAN-only: it is unauthenticated and must
+# never be exposed publicly.
+module "ingress-public" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  auth            = "required"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.android-emulator.metadata[0].name
+  name            = "android-emulator-public"
+  host            = "android-emulator"
+  service_name    = kubernetes_service.novnc.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}