sec: new Authelia password + enforce 2FA for all services

- Generate new unique password for Authelia (not shared with Gitea)
- Change access_control default_policy to two_factor
- Re-encrypt authelia-users secret with SOPS

clusters/lab/security/authelia.yaml

@@ -69,7 +69,7 @@ spec:
           enabled: true
           path: /config/db.sqlite3
       access_control:
-        default_policy: one_factor
+        default_policy: two_factor
       authentication_backend:
         file:
           enabled: true