From d35a9cf6725ebec321c0aade3bf21ecbd9d1d033 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Fri, 12 Jun 2026 11:51:36 +0200
Subject: [PATCH] navidrome: auth workaround

---
 docker-compose.yml | 48 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 8 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 91209b0..9ec1c9a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -62,6 +62,31 @@ configs:
         root * /data/caddy/pki/authorities/local/
         file_server browse
       }
+      music.home.arpa {
+          @ui_redirect {
+              not path /api/* /share/* /rest/*
+          }
+
+          # 1. API Auth: Use the new replace_status directive
+          forward_auth /api/* authentik-server:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username
+              
+              # Define a matcher for the 302 redirect from Authentik
+              @redir status 302
+              # Use the new Caddy 2.8 directive to swap it for a 401
+              replace_status @redir 401
+          }
+
+          # 2. Main UI Auth: Standard 302 redirects for human login
+          forward_auth @ui_redirect authentik-server:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username
+          }
+
+          reverse_proxy navidrome:4533
+      }
+
   dnsmasq:
     content: |
       log-facility=-
@@ -355,7 +380,7 @@ services:
     restart: unless-stopped
 
   navidrome:
-    image: deluan/navidrome:0.61.2
+    image: ghcr.io/navidrome/navidrome:pr-5459
     container_name: navidrome
     user: "${PUID}:${PGID}"
     volumes:
@@ -364,13 +389,20 @@ services:
     networks:
       public:
         ipv4_address: 192.168.240.14
-    labels:
-      caddy: music.${DOMAIN_LOCAL}
-      caddy.reverse_proxy: "{{ upstreams 4533 }}"
-      caddy.@protected.not.path: "/share/* /rest/*"
-      caddy.forward_auth_0: "@protected authentik-server:9000"
-      caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy"
-      caddy.forward_auth_0.copy_headers: "X-Authentik-Username"
+    # labels:
+      # caddy: music.${DOMAIN_LOCAL}
+      # caddy.reverse_proxy: "{{ upstreams 4533 }}"
+    #   caddy.@protected.not.path: "/share/* /rest/*"
+      # caddy.@authredir.path: "/api/*"
+      # caddy.@authredir.path: "/api/*"
+      # caddy.forward_auth_0: "@protected authentik-server:9000"
+      # caddy.forward_auth_0.uri: "/outpost.goauthentik.io/auth/caddy"
+      # caddy.forward_auth_0.copy_headers: "X-Authentik-Username"
+      # caddy.intercept: "/api/*"
+      # caddy.@api_expiry.path: "/api/*"
+      # caddy.@api_expiry.status: "3xx"
+      # caddy.forward_auth_0.handle_response_0: "path /api/*"
+      # caddy.forward_auth_0.handle_response_1: "replace_status 401"
     environment:
       ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d
       ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6