Fix Authelia forward-auth to match proven working NPM config

- Use /api/verify endpoint instead of /api/authz/forward-auth
- Add proxy_pass_request_body off to auth location
- Put redirect URL inline in error_page instead of using a variable
- Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/nginx.nix

@@ -3,28 +3,26 @@
 let
   # Authelia forward-auth snippet injected into protected locations
   autheliaAuthConfig = ''
-    set $target_url $scheme://$http_host$request_uri;
+    auth_request /authelia;
-    auth_request /internal/authelia/authz;
     auth_request_set $user $upstream_http_remote_user;
-    auth_request_set $groups $upstream_http_remote_groups;
+    auth_request_set $email $upstream_http_remote_email;
-    error_page 401 =302 https://auth.nordhammer.it/?rd=$target_url;
+    error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri;
   '';
 
   # Internal location that queries Authelia's verification endpoint
   autheliaLocation = {
-    "/internal/authelia/authz" = {
+    "/authelia" = {
-      proxyPass = "http://127.0.0.1:9091/api/authz/forward-auth";
+      proxyPass = "http://127.0.0.1:9091/api/verify";
       extraConfig = ''
         internal;
-        proxy_set_header X-Original-Method $request_method;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
         proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
         proxy_set_header X-Forwarded-Method $request_method;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-URI $request_uri;
+        proxy_set_header X-Forwarded-Uri $request_uri;
         proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Content-Length "";
-        proxy_set_header Connection "";
       '';
     };
   };