diff --git a/flake.lock b/flake.lock
index f386e80..1a2a533 100644
--- a/flake.lock
+++ b/flake.lock
@@ -299,11 +299,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747021744,
-        "narHash": "sha256-IDsM/9/tHQBlhG3tXI2fTM84AUN1uRa7JDPT1LMlGes=",
+        "lastModified": 1747184352,
+        "narHash": "sha256-GBZulv50wztp5cgc405t1uOkxQYhSkMqeKLI+iSrlpk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fb061f555f821fe4fb49f8f6f2a0cc3d5728bd52",
+        "rev": "7c1cefb98369cc85440642fdccc1c1394ca6dd2c",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix
index 81c0f2a..dfebb89 100644
--- a/hosts/falkenstein/modules/dns/default.nix
+++ b/hosts/falkenstein/modules/dns/default.nix
@@ -42,14 +42,6 @@ let
 
 
     subdomains =
-      let
-        # generate ACME challenge recorsd for every VirtualHost
-        genACMECNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (_label: {
-          subdomains._acme-challenge.CNAME = [ "challenge.acme.${domain}." ];
-        });
-        # fuckery to merge the generated attribute lists
-        mergeRecords = recordList: lib.attrsets.mapAttrs (_host: records: lib.attrsets.mergeAttrsList records) (lib.attrsets.zipAttrs recordList);
-      in
       lib.attrsets.mergeAttrsList [
         rec {
           nuc = {
@@ -68,7 +60,7 @@ let
           _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ];
         }
         (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc"))))
-        (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" ]))
+        (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" "rfive.de" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc"))))
         # (mergeRecords [
         #   (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc"))))
         #   (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ]))
diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix
index 87223e5..fc52c0f 100644
--- a/hosts/falkenstein/modules/mail/rspamd.nix
+++ b/hosts/falkenstein/modules/mail/rspamd.nix
@@ -107,7 +107,7 @@
         enable = true;
       };
     };
-    caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
+    caddy.virtualHosts."rspamd.vpn.${config.networking.domain}".extraConfig = ''
 
       # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
       reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix
index 193e99d..0319561 100644
--- a/hosts/nuc/modules/adguard/default.nix
+++ b/hosts/nuc/modules/adguard/default.nix
@@ -14,6 +14,16 @@ in
     };
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/prowlarr.nix b/hosts/nuc/modules/indexing/prowlarr.nix
index 4c66610..de10446 100644
--- a/hosts/nuc/modules/indexing/prowlarr.nix
+++ b/hosts/nuc/modules/indexing/prowlarr.nix
@@ -7,6 +7,16 @@ in
     enable = true;
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/radarr.nix b/hosts/nuc/modules/indexing/radarr.nix
index f334ce4..2b9375b 100644
--- a/hosts/nuc/modules/indexing/radarr.nix
+++ b/hosts/nuc/modules/indexing/radarr.nix
@@ -7,6 +7,16 @@ in
     enable = true;
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
     reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port}
   '';
 }
diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix
index 6c3f404..635e267 100644
--- a/hosts/nuc/modules/indexing/sonarr.nix
+++ b/hosts/nuc/modules/indexing/sonarr.nix
@@ -11,8 +11,7 @@ in
     reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
 
     # forward authentication to authentik
-    @NoAccess not path /api*
-    forward_auth @NoAccess http://nuc.vpn.rfive.de:9000 {
+    forward_auth http://nuc.vpn.rfive.de:9000 {
       uri /outpost.goauthentik.io/auth/caddy
 
       # capitalization of the headers is important, otherwise they will be empty
diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix
index 38db1f9..739a11e 100644
--- a/hosts/nuc/modules/torrent/default.nix
+++ b/hosts/nuc/modules/torrent/default.nix
@@ -126,6 +126,17 @@ in
     };
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+    # forward authentication to authentik
+    forward_auth http://nuc.vpn.rfive.de:9000 {
+      uri /outpost.goauthentik.io/auth/caddy
+
+      # capitalization of the headers is important, otherwise they will be empty
+      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
+
     reverse_proxy 127.0.0.1:${toString cfg.port}
   '';
   systemd.tmpfiles.rules = [