proxy auth for unsecured apps

proxy/Caddyfile

@@ -6,6 +6,15 @@
 	}
 }
 
+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
 *.{$DOMAIN} {
 	tls {
 		dns netcup {
@@ -21,7 +30,10 @@
 
 	@whoami host whoami.{$DOMAIN}
 	handle @whoami {
-		reverse_proxy whoami:80
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
 	}
 
 	@dashboard host dashboard.{$DOMAIN}
@@ -37,7 +49,10 @@
 
 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
 	handle @zigbee2mqtt {
-		reverse_proxy zigbee2mqtt:8080
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
 	}
 
 	@jellyfin host jellyfin.{$DOMAIN}
@@ -62,7 +77,10 @@
 
 	@torrent host torrent.{$DOMAIN}
 	handle @torrent {
-		reverse_proxy transmission:9091
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
 	}
 
 	@auth host auth.{$DOMAIN}

torrent/docker-compose.yaml

@@ -4,8 +4,6 @@ services:
     image: lscr.io/linuxserver/transmission:${TRANSMISSION_VERSION}
     environment:
       - TZ=Etc/UTC
-      - USER=${USERNAME}
-      - PASS=${PASSWORD}
     volumes:
       - ${VOLUMES_PATH}/torrent/transmission:/config
       - ${DOWNLOAD_PATH}:/downloads