nginx: strip cookies on qBit proxy so localhost-bypass always wins

qBittorrent's auth logic is "no SID cookie → bypass for localhost; SID
cookie present → validate it." If the browser has a stale SID from an
earlier session, qBit fails validation and returns 401 even though the
connection is from 127.0.0.1 and bypass is enabled.

Strip both directions: drop the client's Cookie header on the way in so
qBit never sees an SID, and hide Set-Cookie on the way back so the
browser never accumulates one in the first place.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/nginx.nix

@@ -96,7 +96,14 @@ in
         "sonarr.nordhammer.it"   = protectedProxy 8989;
         "radarr.nordhammer.it"   = protectedProxy 7878;
         "prowlarr.nordhammer.it" = protectedProxy 9696;
-        "torrent.nordhammer.it"  = protectedProxy 8080;
+        # qBit trips its own session auth on any SID cookie the browser
+        # has cached; strip cookies so localhost-bypass always wins.
+        "torrent.nordhammer.it"  = lib.recursiveUpdate (protectedProxy 8080) {
+          locations."/".extraConfig = autheliaAuthConfig + ''
+            proxy_set_header Cookie "";
+            proxy_hide_header Set-Cookie;
+          '';
+        };
         "camera.nordhammer.it"   = protectedProxy 1984;
         "homepage.nordhammer.it" = protectedProxy 8082;
         "7dtd.nordhammer.it"     = protectedProxy 8090;