use header only authelia snippet

hosts/sin/jellyfin.nix

@@ -82,6 +82,9 @@ in
       enable = true;
       openFirewall = true;
       group = "starr";
+      settings = {
+        authentication.AuthenticationMethod = "external";
+      };
     };
     radarr = {
       enable = true;

hosts/thea/authelia.nix

@@ -106,7 +106,9 @@ in
         locations."/" = {
           proxyPass = upstream;
           extraConfig = ''
+            error_log /var/log/nginx/debug_authelia.log debug;
             include ${authelia-snippets.proxy};
+            set $upstream ${upstream};
           '';
         };
         locations."/api/verify" = {

hosts/thea/configuration.nix

@@ -20,7 +20,7 @@ in
     ./ollama.nix
     ./minecraft.nix
     ./secrets
-    ./authelia.nix
+    # ./authelia.nix
   ];
 
   # Use the systemd-boot EFI boot loader.

hosts/thea/lib/autheliaSnippets.nix

@@ -1,7 +1,17 @@
 { pkgs }:
 {
   proxy = pkgs.writeText "proxy.conf" ''
-    set $upstream_authelia http://thea:9091/api/authz/auth-request;
+    ## Headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  '';
+  authelia-location = pkgs.writeText "authelia-location.conf" ''
+    set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
 
     ## Virtual endpoint created by nginx to forward auth requests.
     location /internal/authelia/authz {
@@ -34,7 +44,7 @@
         proxy_connect_timeout 240;
     }
   '';
-  authelia-location = pkgs.writeText "authelia-location.conf" ''
+  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
     ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
     auth_request /internal/authelia/authz;
 
@@ -68,40 +78,4 @@
     ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
     # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
   '';
-  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
-    ## Headers
-    proxy_set_header Host $host;
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-URI $request_uri;
-    proxy_set_header X-Forwarded-Ssl on;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Real-IP $remote_addr;
-
-    ## Basic Proxy Configuration
-    client_body_buffer_size 128k;
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
-    proxy_redirect  http://  $scheme://;
-    proxy_http_version 1.1;
-    proxy_cache_bypass $cookie_session;
-    proxy_no_cache $cookie_session;
-    proxy_buffers 64 256k;
-
-    ## Trusted Proxies Configuration
-    ## Please read the following documentation before configuring this:
-    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
-    # set_real_ip_from 10.0.0.0/8;
-    # set_real_ip_from 172.16.0.0/12;
-    # set_real_ip_from 192.168.0.0/16;
-    # set_real_ip_from fc00::/7;
-    real_ip_header X-Forwarded-For;
-    real_ip_recursive on;
-
-    ## Advanced Proxy Configuration
-    send_timeout 5m;
-    proxy_read_timeout 360;
-    proxy_send_timeout 360;
-    proxy_connect_timeout 360;
-  '';
 }

hosts/thea/nginx.nix

@@ -1,8 +1,9 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 let
   # striped-front = inputs.striped-front;
 
   sin-address = "192.168.1.14";
+  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
 in
 {
 
@@ -37,16 +38,44 @@ in
       in
       (
         mkStarr "jellyfin.shobu.fr" "8096"
-        // mkStarr "radarr.shobu.fr" "7878"
+        # // mkStarr "radarr.shobu.fr" "7878"
         // mkStarr "sonarr.shobu.fr" "8989"
         // mkStarr "prowlarr.shobu.fr" "9696"
         // mkStarr "bazarr.shobu.fr" "6767"
-        // mkStarr "jellyseerr.shobu.fr" "5055"
         // mkStarr "lidarr.shobu.fr" "8686"
         // mkStarr "whisparr.shobu.fr" "6969"
+        // mkStarr "jellyseerr.shobu.fr" "5055"
         // mkStarr "transmission.shobu.fr" "9091"
         // mkStarr "zimablade-admin.shobu.fr" "61208"
         // {
+          "radarr.shobu.fr" = {
+            enableACME = true;
+            forceSSL = true;
+
+            extraConfig = ''
+              include ${authelia-snippets.authelia-location};
+              error_log /var/log/nginx/debug_radarr.log debug;
+            '';
+
+            locations."/" = {
+              proxyPass = "http://${sin-address}:7878";
+              proxyWebsockets = true;
+              extraConfig = ''
+                include ${authelia-snippets.proxy};
+                include ${authelia-snippets.authelia-authrequest};
+                proxy_ssl_server_name on;
+              '';
+            };
+
+            locations."/api" = {
+              proxyPass = "http://${sin-address}:7878";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_ssl_server_name on;
+              '';
+            };
+
+          };
           "shobu.fr" = {
             enableACME = true;
             forceSSL = true;