infra: document auth = "app|none" tier on every legacy ingress

Sweep through the 30+ stacks that predated the auth = "app" tier and were tagged auth = "none" without a comment explaining why they weren't behind Authentik. Each is now self-documenting at the call site, so the tg-level anti-exposure guard passes and future readers don't have to reverse-engineer the intent. Flipped 6 stacks from "none" to "app" — their backends have their own user auth and the new tier records that more accurately: - navidrome (Subsonic user/password) - ntfy (deny-all default + user.db tokens) - nextcloud (WebDAV/CalDAV/CardDAV app passwords) - vaultwarden (Bitwarden-compatible token auth) - headscale (OIDC + preauth keys for Tailscale nodes) - paperless-ngx (app-layer login + API tokens) Kept "none" with a comment on the rest — they're genuinely public, webhook receivers, native-protocol endpoints, OAuth callbacks, or Anubis-fronted: authentik (×2 + guest outpost), beads-server (dolt), claude-memory (bearer-token MCP), dawarich, ebooks/book-search-api, fire-planner /api, forgejo (git/OCI native clients), frigate (HA integration), immich/frame, insta2spotify /api, instagram-poster (meta fetcher), k8s-portal, matrix (native bearer), monitoring×2 (HA REST scrapes), n8n (webhooks), nvidia, onlyoffice (JWT), owntracks (HTTP Basic), postiz, privatebin (client-side enc), rybbit (analytics tracker), send (E2E file drop), tuya-bridge (API key), vault (own auth + CLI), webhook_handler, woodpecker (forgejo webhooks + OAuth), xray (×3 VPN transports). real-estate-crawler/main.tf:400 already had its comment from a prior edit — not touched here. No live state changes — auth = "app" produces the same middleware chain as auth = "none" (verified earlier this session). This commit is purely documentation + intent-tagging.
2026-05-11 19:25:48 +00:00 · 2026-05-11 19:25:48 +00:00 · f10784ddb6
commit f10784ddb6
parent 20774f794d
35 changed files with 44 additions and 6 deletions
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@ -73,6 +73,7 @@ module "ingress" {
  source = "../../../../modules/kubernetes/ingress_factory"
  # Authentik's own UI cannot be gated by Authentik forward-auth — that
  # creates a chicken-and-egg loop (users can't reach the login page).
+  # auth = "none": Authentik UI cannot be gated by Authentik forward-auth (chicken-and-egg loop prevents login).
  auth             = "none"
  dns_type         = "proxied"
  namespace        = kubernetes_namespace.authentik.metadata[0].name
@ -97,6 +98,7 @@ module "ingress-outpost" {
  source = "../../../../modules/kubernetes/ingress_factory"
  # Authentik forward-auth outpost callback path — protecting this with
  # forward-auth would loop the outpost back onto itself.
+  # auth = "none": Authentik outpost callback path for forward-auth flow; protecting with forward-auth creates circular dependency.
  auth             = "none"
  namespace        = kubernetes_namespace.authentik.metadata[0].name
  name             = "authentik-outpost"