fix(beads-server): disable Authentik + CrowdSec on Workbench

Authentik forward-auth returns 400 for dolt-workbench (no Authentik
application configured for this domain). CrowdSec bouncer also
intermittently returns 400. Both disabled — Workbench is accessible
via Cloudflare tunnel only.

TODO: Create Authentik application for dolt-workbench.viktorbarzin.me

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/beads-server/main.tf

@@ -386,12 +386,13 @@ module "tls_secret" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.beads.metadata[0].name
-  name            = "dolt-workbench"
-  tls_secret_name = var.tls_secret_name
-  protected       = true
+  source            = "../../modules/kubernetes/ingress_factory"
+  dns_type          = "proxied"
+  namespace         = kubernetes_namespace.beads.metadata[0].name
+  name              = "dolt-workbench"
+  tls_secret_name   = var.tls_secret_name
+  protected         = false
+  exclude_crowdsec  = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"
@@ -595,12 +596,13 @@ resource "kubernetes_service" "beadboard" {
 }
 
 module "beadboard_ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.beads.metadata[0].name
-  name            = "beadboard"
-  tls_secret_name = var.tls_secret_name
-  protected       = true
+  source            = "../../modules/kubernetes/ingress_factory"
+  dns_type          = "proxied"
+  namespace         = kubernetes_namespace.beads.metadata[0].name
+  name              = "beadboard"
+  tls_secret_name   = var.tls_secret_name
+  protected         = true
+  exclude_crowdsec  = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "BeadBoard"