Put Servarr + qBit + games + search behind Authelia

Only Jellyfin and the Authelia portal itself stay unprotected externally
(Jellyfin because it's streamed to remote clients; Authelia because it
is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr,
torrent/qBittorrent, games, search) now goes through Authelia forward auth.

Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr,
Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT
directly, so they are unaffected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/authelia.nix

@@ -74,6 +74,13 @@ in
             { domain = "homepage.nordhammer.it"; policy = "one_factor"; }
             { domain = "7dtd.nordhammer.it";     policy = "one_factor"; }
             { domain = "adguard.nordhammer.it";  policy = "one_factor"; }
+            { domain = "sonarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "radarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "bazarr.nordhammer.it";   policy = "one_factor"; }
+            { domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }
+            { domain = "torrent.nordhammer.it";  policy = "one_factor"; }
+            { domain = "games.nordhammer.it";    policy = "one_factor"; }
+            { domain = "search.nordhammer.it";   policy = "one_factor"; }
           ];
         };
 

services/nginx.nix

@@ -87,24 +87,18 @@ in
       '';
 
       virtualHosts = {
-        # --- Authelia portal (not behind auth itself) ---
-        "auth.nordhammer.it" = proxy 9091;
-
-        # --- Media ---
-        "jellyfin.nordhammer.it" = proxy 8096;
-        "bazarr.nordhammer.it"  = proxy 6767;
-        "sonarr.nordhammer.it"  = proxy 8989;
-        "radarr.nordhammer.it"  = proxy 7878;
-
-        # --- Downloads ---
-        "prowlarr.nordhammer.it" = proxy 9696;
-        "torrent.nordhammer.it"  = proxy 8080;
-
-        # --- Other ---
-        "games.nordhammer.it"  = proxy 8787;
-        "search.nordhammer.it" = proxy 8087;
+        # --- Unprotected (own auth, or by design) ---
+        "auth.nordhammer.it"     = proxy 9091;  # Authelia portal itself
+        "jellyfin.nordhammer.it" = proxy 8096;  # streaming to external clients
 
         # --- Protected by Authelia ---
+        "bazarr.nordhammer.it"   = protectedProxy 6767;
+        "sonarr.nordhammer.it"   = protectedProxy 8989;
+        "radarr.nordhammer.it"   = protectedProxy 7878;
+        "prowlarr.nordhammer.it" = protectedProxy 9696;
+        "torrent.nordhammer.it"  = protectedProxy 8080;
+        "games.nordhammer.it"    = protectedProxy 8787;
+        "search.nordhammer.it"   = protectedProxy 8087;
         "camera.nordhammer.it"   = protectedProxy 1984;
         "homepage.nordhammer.it" = protectedProxy 8082;
         "7dtd.nordhammer.it"     = protectedProxy 8090;