arr-interconnect: enforce Prowlarr local-auth bypass

Sonarr/Radarr/Bazarr default to DisabledForLocalAddresses so that requests
coming via the nginx reverse proxy (from 127.0.0.1) skip the app's own
login, leaving Authelia as the single gate. Prowlarr defaults to Enabled,
which produces a 401 behind Authelia.

Idempotent: only rewrites config.xml + restarts prowlarr when it finds
the "Enabled" value; logs a no-op otherwise. Added pkgs.systemd to PATH
so the restart call works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/arr-interconnect.nix

@@ -2,7 +2,7 @@
 let
   interconnectScript = pkgs.writeShellScript "arr-interconnect" ''
     set -euo pipefail
-    PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.gawk pkgs.coreutils ]}:$PATH"
+    PATH="${lib.makeBinPath [ pkgs.curl pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.gawk pkgs.coreutils pkgs.systemd ]}:$PATH"
 
     BASE="http://127.0.0.1"
 
@@ -303,6 +303,21 @@ let
       done
     fi
 
+    ##########################################################################
+    # Prowlarr auth — trust localhost so Authelia is the only gate. Other
+    # *arr apps default to this; Prowlarr does not.
+    ##########################################################################
+    PROWLARR_CONFIG=/var/lib/prowlarr/config.xml
+    if [ -f "$PROWLARR_CONFIG" ]; then
+      if grep -q "<AuthenticationRequired>Enabled</AuthenticationRequired>" "$PROWLARR_CONFIG"; then
+        echo "Prowlarr auth: switching to DisabledForLocalAddresses..."
+        sed -i 's|<AuthenticationRequired>Enabled</AuthenticationRequired>|<AuthenticationRequired>DisabledForLocalAddresses</AuthenticationRequired>|' "$PROWLARR_CONFIG"
+        systemctl restart prowlarr
+      else
+        echo "Prowlarr auth: already DisabledForLocalAddresses"
+      fi
+    fi
+
     echo "Interconnect setup complete."
   '';
 in