monitoring: protect grafana ingress with authentik + disable anonymous

- add traefik-authentik-forward-auth to grafana ingress middleware list
- disable auth.anonymous (was Viewer-by-default for the public)
- enable auth.proxy with X-authentik-username so Authentik users get
  signed in seamlessly (no double-login UX)

Prometheus and Alertmanager already had forward-auth — no change.

stacks/monitoring/modules/monitoring/grafana_chart_values.yaml

@@ -32,7 +32,7 @@ ingress:
   enabled: "true"
   ingressClassName: "traefik"
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Grafana"
@@ -98,8 +98,18 @@ grafana.ini:
     password: $__env{GF_DATABASE_PASSWORD}
     ssl_mode: disable
   auth.anonymous:
+    enabled: false
+  auth.proxy:
     enabled: true
-    org_role: Viewer
+    header_name: X-authentik-username
+    header_property: username
+    auto_sign_up: true
+    sync_ttl: 60
+    whitelist: ""
+    enable_login_token: false
+  users:
+    auto_assign_org: true
+    auto_assign_org_role: Viewer
   # auth.google:
   #   enabled: true
   analytics: