From fbe7ea31794fd87672cd7aae6a2318806bceb670 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 13 May 2025 17:36:21 +0200 Subject: [PATCH 1/2] enable auth for sonarr --- hosts/nuc/modules/indexing/sonarr.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix index ebc3e5d..6c3f404 100644 --- a/hosts/nuc/modules/indexing/sonarr.nix +++ b/hosts/nuc/modules/indexing/sonarr.nix @@ -7,6 +7,17 @@ in enable = true; }; services.caddy.virtualHosts."${domain}".extraConfig = '' + # for some reason this only works with http and not with https so we send every request through our wireguard tunnel + reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 + + # forward authentication to authentik + @NoAccess not path /api* + forward_auth @NoAccess http://nuc.vpn.rfive.de:9000 { + uri /outpost.goauthentik.io/auth/caddy + + # capitalization of the headers is important, otherwise they will be empty + copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version + } reverse_proxy 127.0.0.1:${toString config.services.sonarr.settings.server.port} ''; } From 8492679843ccff6b6aa77754b59af7a4f68f34da Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 14 May 2025 01:14:28 +0200 Subject: [PATCH 2/2] allow service access from podman network --- hosts/nuc/modules/networks/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix index 8985361..a34a0f3 100644 --- a/hosts/nuc/modules/networks/default.nix +++ b/hosts/nuc/modules/networks/default.nix @@ -15,6 +15,7 @@ enableIPv6 = true; nftables.enable = true; firewall = { + trustedInterfaces = [ "podman0" ]; extraInputRules = '' ip saddr 192.168.0.0/16 tcp dport 19531 accept comment "Allow journald gateway access from local networks" '';