From 7fe28374b82d360e8621f7200d12c5f0aa958c4a Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 14 May 2025 01:03:40 +0200
Subject: [PATCH] add authentication to all services

---
 hosts/nuc/modules/adguard/default.nix   | 10 ++++++++++
 hosts/nuc/modules/indexing/prowlarr.nix | 10 ++++++++++
 hosts/nuc/modules/indexing/radarr.nix   | 10 ++++++++++
 hosts/nuc/modules/indexing/sonarr.nix   |  3 +--
 hosts/nuc/modules/torrent/default.nix   | 11 +++++++++++
 5 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix
index 193e99d..0319561 100644
--- a/hosts/nuc/modules/adguard/default.nix
+++ b/hosts/nuc/modules/adguard/default.nix
@@ -14,6 +14,16 @@ in
     };
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/prowlarr.nix b/hosts/nuc/modules/indexing/prowlarr.nix
index 4c66610..de10446 100644
--- a/hosts/nuc/modules/indexing/prowlarr.nix
+++ b/hosts/nuc/modules/indexing/prowlarr.nix
@@ -7,6 +7,16 @@ in
     enable = true;
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/radarr.nix b/hosts/nuc/modules/indexing/radarr.nix
index f334ce4..2b9375b 100644
--- a/hosts/nuc/modules/indexing/radarr.nix
+++ b/hosts/nuc/modules/indexing/radarr.nix
@@ -7,6 +7,16 @@ in
     enable = true;
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix
index 6c3f404..635e267 100644
--- a/hosts/nuc/modules/indexing/sonarr.nix
+++ b/hosts/nuc/modules/indexing/sonarr.nix
@@ -11,8 +11,7 @@ in
     reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
 
     # forward authentication to authentik
-    @NoAccess not path /api*
-    forward_auth @NoAccess http://nuc.vpn.rfive.de:9000 {
+    forward_auth http://nuc.vpn.rfive.de:9000 {
       uri /outpost.goauthentik.io/auth/caddy
 
       # capitalization of the headers is important, otherwise they will be empty
diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix
index 38db1f9..739a11e 100644
--- a/hosts/nuc/modules/torrent/default.nix
+++ b/hosts/nuc/modules/torrent/default.nix
@@ -126,6 +126,17 @@ in
     };
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
+
     reverse_proxy 127.0.0.1:${toString cfg.port}
   '';
   systemd.tmpfiles.rules = [