ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks

Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default
false → unprotected) variable in `modules/kubernetes/ingress_factory` with
`auth = string` enum (default "required" → fail-closed). Touches every
ingress_factory caller so the audit decision is recorded explicitly in code.

ingress_factory (Phase 3):
- `auth = "required"`: standard Authentik forward-auth (the legacy
  `protected = true` semantic).
- `auth = "public"`: forward-auth via the new `authentik-forward-auth-public`
  middleware → dedicated public outpost → guest auto-bind. Logged-in users
  keep their real identity.
- `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native
  client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost
  itself.
- `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated
  ingresses don't need anti-AI noise; the auth flow already discourages bots).

Audit pass (Phase 4) across 96 ingress_factory call sites:
- 49 explicit `protected = true`     → `auth = "required"`
- 8 explicit `protected = false`     → `auth = "none"` (5) or `auth = "public"` (3)
- 64 previously-default (no protected line) → `auth = "required"` ADDED, then
  reviewed individually:
  * 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack,
    homepage, wrongmove UI, privatebin) → `auth = "none"`
  * 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook
    handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC,
    xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich
    location ingestion, immich frame kiosk, headscale CP, send anonymous
    drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) →
    `auth = "none"`
  * Remaining ~33 → `auth = "required"` confirmed (admin tools, internal
    UIs, services without app-level auth)
- Smoke-test promotions to `auth = "public"`: fire-planner public UI,
  k8s-portal API, insta2spotify callback.

Three call sites in wrapper modules (`stacks/freedify/factory/`,
`stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected`
bool — they translate to `auth` internally, out of scope for this rename.

Behavior change: previously-default ingresses now fail closed (require
Authentik login) unless explicitly flipped to `auth = "none"` or
`auth = "public"`. This is the audit goal — no more accidentally-unprotected
surfaces. Sites that were intentionally public (Anubis content, native APIs,
webhooks) are now explicitly recorded as `auth = "none"`.

Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via
`terraform fmt -recursive` during the audit. Behavior-neutral.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

modules/kubernetes/ingress_factory/main.tf

@@ -31,9 +31,28 @@ variable "tls_secret_name" {}
 variable "backend_protocol" {
   default = "HTTP"
 }
-variable "protected" {
-  type    = bool
-  default = false
+variable "auth" {
+  type        = string
+  default     = "required"
+  description = <<-EOT
+    Authentik auth posture for this ingress:
+      * "required" (default): standard Authentik forward-auth — login required.
+        Catches the legacy `protected = true` semantics.
+      * "public": public-tier — auto-bind anonymous requests to the `guest`
+        Authentik user (no UI prompt), audited but not gated. Logged-in
+        users keep their real identity in X-authentik-username.
+      * "none": no Authentik forward-auth middleware at all. Use for
+        Anubis-fronted content sites, native-client APIs (Git, /v2/, WebDAV),
+        webhook receivers, and the Authentik outpost itself. Anti-AI
+        headers are auto-enabled when auth = "none" unless overridden.
+
+    Defaulting to "required" enforces "every ingress must have an explicit
+    auth decision recorded by Authentik" — accidental omission fails closed.
+  EOT
+  validation {
+    condition     = contains(["required", "public", "none"], var.auth)
+    error_message = "auth must be one of: required, public, none."
+  }
 }
 variable "ingress_path" {
   type    = list(string)
@@ -142,8 +161,19 @@ variable "homepage_enabled" {
 }
 
 locals {
-  effective_host    = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}"
-  effective_anti_ai = var.anti_ai_scraping != null ? var.anti_ai_scraping : !var.protected
+  effective_host = var.full_host != null ? var.full_host : "${var.host != null ? var.host : var.name}.${var.root_domain}"
+  # Anti-AI default: ON only when no Authentik auth is in front of the ingress
+  # (i.e. auth = "none" — public Anubis-fronted content sites, etc.). When
+  # Authentik gates the request (required/public), the auth flow already
+  # discourages bots, so anti-AI noise is redundant.
+  effective_anti_ai = var.anti_ai_scraping != null ? var.anti_ai_scraping : (var.auth == "none")
+
+  # Auth middleware selection. "none" attaches no Authentik middleware at all.
+  auth_middleware = (
+    var.auth == "required" ? "traefik-authentik-forward-auth@kubernetescrd" :
+    var.auth == "public" ? "traefik-authentik-forward-auth-public@kubernetescrd" :
+    null
+  )
 
   # External monitor enabled by default when the ingress has a public DNS
   # record (either CF-proxied or direct A/AAAA). Explicit bool overrides.
@@ -254,7 +284,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
         local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
         local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
-        var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
+        local.auth_middleware,
         var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
         var.max_body_size != null ? "${var.namespace}-buffering-${var.name}@kubernetescrd" : null,