From bcaecc244d8e81da67576648b4ca5a2fe24c0103 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Fri, 24 Apr 2026 11:21:28 +0100
Subject: [PATCH] Put Servarr + qBit + games + search behind Authelia
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only Jellyfin and the Authelia portal itself stay unprotected externally
(Jellyfin because it's streamed to remote clients; Authelia because it
is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr,
torrent/qBittorrent, games, search) now goes through Authelia forward auth.

Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr,
Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT
directly, so they are unaffected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/authelia.nix |  7 +++++++
 services/nginx.nix    | 26 ++++++++++----------------
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/services/authelia.nix b/services/authelia.nix
index 6d3095c..a7d3fd1 100644
--- a/services/authelia.nix
+++ b/services/authelia.nix
@@ -74,6 +74,13 @@ in
             { domain = "homepage.nordhammer.it"; policy = "one_factor"; }
             { domain = "7dtd.nordhammer.it";     policy = "one_factor"; }
             { domain = "adguard.nordhammer.it";  policy = "one_factor"; }
+            { domain = "sonarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "radarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "bazarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }
+            { domain = "torrent.nordhammer.it";  policy = "one_factor"; }
+            { domain = "games.nordhammer.it";    policy = "one_factor"; }
+            { domain = "search.nordhammer.it";   policy = "one_factor"; }
           ];
         };
 
diff --git a/services/nginx.nix b/services/nginx.nix
index 572ccb1..6ac3136 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -87,24 +87,18 @@ in
       '';
 
       virtualHosts = {
-        # --- Authelia portal (not behind auth itself) ---
-        "auth.nordhammer.it" = proxy 9091;
-
-        # --- Media ---
-        "jellyfin.nordhammer.it" = proxy 8096;
-        "bazarr.nordhammer.it"  = proxy 6767;
-        "sonarr.nordhammer.it"  = proxy 8989;
-        "radarr.nordhammer.it"  = proxy 7878;
-
-        # --- Downloads ---
-        "prowlarr.nordhammer.it" = proxy 9696;
-        "torrent.nordhammer.it"  = proxy 8080;
-
-        # --- Other ---
-        "games.nordhammer.it"  = proxy 8787;
-        "search.nordhammer.it" = proxy 8087;
+        # --- Unprotected (own auth, or by design) ---
+        "auth.nordhammer.it"     = proxy 9091;  # Authelia portal itself
+        "jellyfin.nordhammer.it" = proxy 8096;  # streaming to external clients
 
         # --- Protected by Authelia ---
+        "bazarr.nordhammer.it"   = protectedProxy 6767;
+        "sonarr.nordhammer.it"   = protectedProxy 8989;
+        "radarr.nordhammer.it"   = protectedProxy 7878;
+        "prowlarr.nordhammer.it" = protectedProxy 9696;
+        "torrent.nordhammer.it"  = protectedProxy 8080;
+        "games.nordhammer.it"    = protectedProxy 8787;
+        "search.nordhammer.it"   = protectedProxy 8087;
         "camera.nordhammer.it"   = protectedProxy 1984;
         "homepage.nordhammer.it" = protectedProxy 8082;
         "7dtd.nordhammer.it"     = protectedProxy 8090;