feat: Try to auth *arr stack with authelia

2025-07-29 13:58:29 +05:30
parent a455c6954c
commit c8ae4ff37a
4 changed files with 33 additions and 11 deletions
--- a/nixos/mirai/services/authelia.nix
+++ b/nixos/mirai/services/authelia.nix
@@ -80,7 +80,9 @@
    };
    caddy = {
      virtualHosts."auth.darksailor.dev".extraConfig = ''
-        reverse_proxy localhost:5555
+        reverse_proxy localhost:5555 {
+            trusted_proxies static 100.87.221.59/32
+        }
      '';
    };
  };
--- a/nixos/mirai/services/caddy.nix
+++ b/nixos/mirai/services/caddy.nix
@@ -1,15 +1,7 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{...}: {
  services = {
    caddy = {
      enable = true;
-      # package = pkgs.caddy.withPlugins {
-      #   plugins = ["github.com/caddy-dns/hetzner@c1104f8d1e376a062bce86cd53025c2187a6be45"];
-      #   hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
-      # };
    };
  };
 }
--- a/nixos/mirai/services/prowlarr.nix
+++ b/nixos/mirai/services/prowlarr.nix
@@ -2,6 +2,12 @@
  services = {
    prowlarr = {
      enable = true;
+      settings = {
+        auth = {
+          authentication_enabled = true;
+          authentication_method = "External";
+        };
+      };
    };
  };
 }
--- a/nixos/tsuba/services/servarr.nix
+++ b/nixos/tsuba/services/servarr.nix
@@ -36,25 +36,47 @@
      group = "media";
      # settings.AuthenticationMethod = "External";
    };
-    caddy.virtualHosts = {
+    caddy.virtualHosts = let
+      forwardAuth = "auth.darksailor.dev";
+    in {
      "sonarr.tsuba.darksailor.dev".extraConfig = ''
        import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
        reverse_proxy localhost:${builtins.toString config.services.sonarr.settings.server.port}
      '';
      "radarr.tsuba.darksailor.dev".extraConfig = ''
        import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
        reverse_proxy localhost:${builtins.toString config.services.radarr.settings.server.port}
      '';
      "lidarr.tsuba.darksailor.dev".extraConfig = ''
        import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
        reverse_proxy localhost:${builtins.toString config.services.lidarr.settings.server.port}
      '';
      "bazarr.tsuba.darksailor.dev".extraConfig = ''
        import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
        reverse_proxy localhost:${builtins.toString config.services.bazarr.listenPort}
      '';
      "prowlarr.tsuba.darksailor.dev".extraConfig = ''
        import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
        reverse_proxy mirai.darksailor.dev:9696
      '';
    };