feat: Use authelia on *arr stack

nixos/mirai/services/authelia.nix

@@ -55,7 +55,7 @@
           theme = "dark";
           notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log";
           server = {
-            address = "127.0.0.1:5555";
+            address = "0.0.0.0:5555";
             endpoints.authz = {
               forward-auth = {
                 implementation = "ForwardAuth";
@@ -80,9 +80,7 @@
     };
     caddy = {
       virtualHosts."auth.darksailor.dev".extraConfig = ''
-        reverse_proxy localhost:5555 {
-            trusted_proxies 100.87.221.59/32
-        }
+        reverse_proxy localhost:5555
       '';
     };
   };

nixos/mirai/services/tailscale.nix

@@ -4,4 +4,7 @@
     useRoutingFeatures = "server";
     extraUpFlags = "--advertise-exit-node";
   };
+  networking.firewall.trustedInterfaces = [
+    "tailscale0"
+  ];
 }

nixos/tsuba/services/servarr.nix

@@ -34,49 +34,39 @@
       enable = true;
       package = unstablePkgs.bazarr;
       group = "media";
-      # settings.AuthenticationMethod = "External";
     };
     caddy.virtualHosts = let
-      forwardAuth = "auth.darksailor.dev";
+      auth = ''
+        forward_auth mirai:5555 {
+           uri /api/authz/forward-auth
+           copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
+      '';
+      # auth = "";
     in {
       "sonarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        forward_auth ${forwardAuth} {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        ${auth}
         reverse_proxy localhost:${builtins.toString config.services.sonarr.settings.server.port}
       '';
       "radarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        forward_auth ${forwardAuth} {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        ${auth}
         reverse_proxy localhost:${builtins.toString config.services.radarr.settings.server.port}
       '';
       "lidarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        forward_auth ${forwardAuth} {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        ${auth}
         reverse_proxy localhost:${builtins.toString config.services.lidarr.settings.server.port}
       '';
       "bazarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        forward_auth ${forwardAuth} {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        ${auth}
         reverse_proxy localhost:${builtins.toString config.services.bazarr.listenPort}
       '';
       "prowlarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        forward_auth ${forwardAuth} {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        ${auth}
         reverse_proxy mirai.darksailor.dev:9696
       '';
     };