diff --git a/nixos/tako/services/default.nix b/nixos/tako/services/default.nix
index d933aba8..0954e07e 100644
--- a/nixos/tako/services/default.nix
+++ b/nixos/tako/services/default.nix
@@ -5,6 +5,7 @@
     # ./llama.nix
     # ./monitoring.nix
     # ./paperless.nix
+    ./navidrome.nix
     ./shitpost.nix
     ./atuin.nix
     ./authelia.nix
diff --git a/nixos/tako/services/navidrome.nix b/nixos/tako/services/navidrome.nix
index 394bf372..9447ccd3 100644
--- a/nixos/tako/services/navidrome.nix
+++ b/nixos/tako/services/navidrome.nix
@@ -5,14 +5,37 @@
       settings = {
         MusicFolder = "/media/music";
         ReverseProxyUserHeader = "Remote-User";
-        ReverseProxyWhitelist = "127.0.0.1/32";
+        ReverseProxyWhitelist = "@";
+        Address = "/var/run/navidrome/navidrome.sock";
       };
     };
     caddy = {
       virtualHosts."music.darksailor.dev".extraConfig = ''
         import auth
-        reverse_proxy localhost:4533
+        # reverse_proxy localhost:4533
+        reverse_proxy unix//var/run/navidrome/navidrome.sock
       '';
     };
+    authelia = {
+      instances.darksailor = {
+        settings = {
+          access_control = {
+            rules = [
+              {
+                domain = "music.darksailor.dev";
+                policy = "bypass";
+                resources = [
+                  "^/(rest|share)([/?].*)?$"
+                ];
+              }
+              {
+                domain = "music.darksailor.dev";
+                policy = "one_factor";
+              }
+            ];
+          };
+        };
+      };
+    };
   };
 }