feat(security): add comprehensive security policies and RBAC

- Add security-policies.tf:
  - Strong password policy (12 chars, HIBP check, zxcvbn scoring)
  - Password reuse prevention (last 5 passwords)
  - Brute force protection (reputation policy, 5 attempt threshold)
  - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
  - MFA validation stage with configurable enforcement
  - Admin-only and MFA-required expression policies

- Add rbac-groups.tf:
  - Media group (Sonarr, Radarr, etc.)
  - Infrastructure group (Grafana, ArgoCD, etc.)
  - Home Automation group (Home Assistant)
  - Group-based access policies

- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation

rbac-groups.tf

@@ -0,0 +1,89 @@
+# =============================================================================
+# RBAC Groups and Application Permissions
+# Defines user groups and their application access
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Core Groups (extend from main.tf)
+# -----------------------------------------------------------------------------
+
+# Media group - access to Sonarr, Radarr, Prowlarr, etc.
+resource "authentik_group" "media" {
+  name = "Media"
+  parent = authentik_group.users.id
+}
+
+# Infrastructure group - access to monitoring, CI/CD tools
+resource "authentik_group" "infrastructure" {
+  name = "Infrastructure"
+  parent = authentik_group.users.id
+}
+
+# Home Automation group - Home Assistant access
+resource "authentik_group" "home_automation" {
+  name = "Home Automation"
+  parent = authentik_group.users.id
+}
+
+# -----------------------------------------------------------------------------
+# Group-based Access Policies
+# Bind these to applications to restrict access
+# -----------------------------------------------------------------------------
+
+resource "authentik_policy_expression" "media_access" {
+  name       = "media-group-access"
+  expression = <<-EOT
+    return ak_is_group_member(request.user, name="Media") or ak_is_group_member(request.user, name="Admins")
+  EOT
+  execution_logging = true
+}
+
+resource "authentik_policy_expression" "infrastructure_access" {
+  name       = "infrastructure-group-access"
+  expression = <<-EOT
+    return ak_is_group_member(request.user, name="Infrastructure") or ak_is_group_member(request.user, name="Admins")
+  EOT
+  execution_logging = true
+}
+
+resource "authentik_policy_expression" "home_automation_access" {
+  name       = "home-automation-group-access"
+  expression = <<-EOT
+    return ak_is_group_member(request.user, name="Home Automation") or ak_is_group_member(request.user, name="Admins")
+  EOT
+  execution_logging = true
+}
+
+# -----------------------------------------------------------------------------
+# Example: Bind policy to an application
+# Uncomment and modify for your applications
+# -----------------------------------------------------------------------------
+# resource "authentik_policy_binding" "sonarr_media_access" {
+#   target = authentik_application.sonarr.uuid
+#   policy = authentik_policy_expression.media_access.id
+#   order  = 0
+# }
+#
+# resource "authentik_policy_binding" "grafana_infra_access" {
+#   target = authentik_application.grafana.uuid
+#   policy = authentik_policy_expression.infrastructure_access.id
+#   order  = 0
+# }
+
+# -----------------------------------------------------------------------------
+# Outputs
+# -----------------------------------------------------------------------------
+output "media_group_id" {
+  description = "ID of the Media group"
+  value       = authentik_group.media.id
+}
+
+output "infrastructure_group_id" {
+  description = "ID of the Infrastructure group"
+  value       = authentik_group.infrastructure.id
+}
+
+output "home_automation_group_id" {
+  description = "ID of the Home Automation group"
+  value       = authentik_group.home_automation.id
+}