feat: Try to auth *arr stack with authelia

nixos/mirai/services/authelia.nix

@@ -80,7 +80,9 @@
     };
     caddy = {
       virtualHosts."auth.darksailor.dev".extraConfig = ''
-        reverse_proxy localhost:5555
+        reverse_proxy localhost:5555 {
+            trusted_proxies static 100.87.221.59/32
+        }
       '';
     };
   };

nixos/mirai/services/caddy.nix

@@ -1,15 +1,7 @@
-{
+{...}: {
-  pkgs,
-  lib,
-  ...
-}: {
   services = {
     caddy = {
       enable = true;
-      # package = pkgs.caddy.withPlugins {
-      #   plugins = ["github.com/caddy-dns/hetzner@c1104f8d1e376a062bce86cd53025c2187a6be45"];
-      #   hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
-      # };
     };
   };
 }

nixos/mirai/services/prowlarr.nix

@@ -2,6 +2,12 @@
   services = {
     prowlarr = {
       enable = true;
+      settings = {
+        auth = {
+          authentication_enabled = true;
+          authentication_method = "External";
+        };
+      };
     };
   };
 }

nixos/tsuba/services/servarr.nix

@@ -36,25 +36,47 @@
       group = "media";
       # settings.AuthenticationMethod = "External";
     };
-    caddy.virtualHosts = {
+    caddy.virtualHosts = let
+      forwardAuth = "auth.darksailor.dev";
+    in {
       "sonarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
         reverse_proxy localhost:${builtins.toString config.services.sonarr.settings.server.port}
       '';
       "radarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
         reverse_proxy localhost:${builtins.toString config.services.radarr.settings.server.port}
       '';
       "lidarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
         reverse_proxy localhost:${builtins.toString config.services.lidarr.settings.server.port}
       '';
       "bazarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
         reverse_proxy localhost:${builtins.toString config.services.bazarr.listenPort}
       '';
       "prowlarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
+        forward_auth ${forwardAuth} {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
         reverse_proxy mirai.darksailor.dev:9696
       '';
     };