From 2ab2cd1399bc3c42bc9451c89e485e5a16f914cb Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 6 Jul 2024 22:50:10 +1000
Subject: [PATCH] feat: deploy ldap-auth to all *arrs

- refactor sonarr locations to generalised locations
- set locations to be deep merged
- updated hiera_include statements for media and media subroles
- added eyaml entries for all ldap credentials
---
 hieradata/common.yaml                     |  4 ++
 hieradata/roles/apps/media.yaml           | 79 +++++++++++++++++++++++
 hieradata/roles/apps/media/jellyfin.yaml  |  1 -
 hieradata/roles/apps/media/lidarr.eyaml   |  1 +
 hieradata/roles/apps/media/lidarr.yaml    | 10 ++-
 hieradata/roles/apps/media/prowlarr.eyaml |  1 +
 hieradata/roles/apps/media/prowlarr.yaml  | 10 ++-
 hieradata/roles/apps/media/radarr.eyaml   |  1 +
 hieradata/roles/apps/media/radarr.yaml    | 10 ++-
 hieradata/roles/apps/media/readarr.eyaml  |  1 +
 hieradata/roles/apps/media/readarr.yaml   | 10 ++-
 hieradata/roles/apps/media/sonarr.yaml    | 76 ----------------------
 12 files changed, 115 insertions(+), 89 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 4a05016..17e2ae0 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -129,6 +129,10 @@ lookup_options:
   profiles::ceph::client::keyrings:
     merge:
       strategy: deep
+  profiles::nginx::simpleproxy::locations:
+    merge:
+      strategy: deep
+
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
diff --git a/hieradata/roles/apps/media.yaml b/hieradata/roles/apps/media.yaml
index 25bc31a..bfebf08 100644
--- a/hieradata/roles/apps/media.yaml
+++ b/hieradata/roles/apps/media.yaml
@@ -1,4 +1,7 @@
 ---
+hiera_include:
+  - profiles::nginx::simpleproxy
+
 profiles::yum::global::repos:
   ceph-reef:
     name: ceph-reef
@@ -18,3 +21,79 @@ profiles::base::groups::local:
     gid: 20000
     allowdupe: false
     forcelocal: true
+
+ldap_host: 'ldap.service.consul'
+ldap_basedn: 'dc=main,dc=unkin,dc=net'
+
+profiles::nginx::simpleproxy::locations:
+  # authentication proxy
+  authproxy:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    internal: true
+    location: '= /auth-proxy'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
+    proxy_set_header:
+      - 'Content-Length ""'
+      - "X-Ldap-URL ldap://%{lookup('ldap_host')}"
+      - 'X-Ldap-Starttls "false"'
+      - "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
+      - "X-Ldap-BindDN %{lookup('ldap_binddn')}"
+      - "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
+      - 'X-CookieName "nginxauth"'
+      - 'Cookie nginxauth=$cookie_nginxauth'
+      - "X-Ldap-Template %{lookup('ldap_template')}"
+      - 'X-Ldap-Realm "Restricted"'
+    proxy_cache: 'cache'
+    proxy_cache_valid: '200 10m'
+    proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
+    location_cfg_append:
+      proxy_pass_request_body: 'off'
+  # health checks by consul
+  arrstack_web_consul:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '/consul/health'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    proxy_set_header:
+      - 'Host $host'
+      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
+      - 'X-Forwarded-Host $host'
+      - 'X-Forwarded-Proto $scheme'
+      - 'Upgrade $http_upgrade'
+      - 'Connection $http_connection'
+    proxy_redirect: 'off'
+    proxy_http_version: '1.1'
+    location_allow:
+      - 127.0.0.1
+      - "%{facts.networking.ip}"
+    location_deny:
+      - all
+  # authorised access from external
+  arrstack_web_external:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '/'
+    auth_request: '/auth-proxy'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    proxy_set_header:
+      - 'Host $host'
+      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
+      - 'X-Forwarded-Host $host'
+      - 'X-Forwarded-Proto $scheme'
+      - 'Upgrade $http_upgrade'
+      - 'Connection $http_connection'
+    proxy_redirect: 'off'
+    proxy_http_version: '1.1'
+  # location for api, which should be accessible without authentication
+  arrstack_api:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '~ /api'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    location_cfg_append:
+      client_max_body_size: '20m'
diff --git a/hieradata/roles/apps/media/jellyfin.yaml b/hieradata/roles/apps/media/jellyfin.yaml
index 8a761bd..01bd9b6 100644
--- a/hieradata/roles/apps/media/jellyfin.yaml
+++ b/hieradata/roles/apps/media/jellyfin.yaml
@@ -1,7 +1,6 @@
 ---
 hiera_include:
   - jellyfin
-  - profiles::nginx::simpleproxy
 
 # manage jellyfin
 jellyfin::params::service_enable: true
diff --git a/hieradata/roles/apps/media/lidarr.eyaml b/hieradata/roles/apps/media/lidarr.eyaml
index f42cfb5..19b5bee 100644
--- a/hieradata/roles/apps/media/lidarr.eyaml
+++ b/hieradata/roles/apps/media/lidarr.eyaml
@@ -1,2 +1,3 @@
 ---
 lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
diff --git a/hieradata/roles/apps/media/lidarr.yaml b/hieradata/roles/apps/media/lidarr.yaml
index b2f60b7..03d3ff4 100644
--- a/hieradata/roles/apps/media/lidarr.yaml
+++ b/hieradata/roles/apps/media/lidarr.yaml
@@ -1,7 +1,7 @@
 ---
 hiera_include:
   - lidarr
-  - profiles::nginx::simpleproxy
+  - profiles::nginx::ldapauth
 
 # manage lidarr
 lidarr::params::user: lidarr
@@ -27,9 +27,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
+nginx::client_max_body_size: 20M
+
+ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+ldap_template: '(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
 
 # configure consul service
-nginx::client_max_body_size: 10M
 consul::services:
   lidarr:
     service_name: 'lidarr'
@@ -41,7 +45,7 @@ consul::services:
     checks:
       - id: 'lidarr_http_check'
         name: 'Lidarr HTTP Check'
-        http: "https://%{facts.networking.fqdn}:443"
+        http: "https://%{facts.networking.fqdn}:443/consul/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'
diff --git a/hieradata/roles/apps/media/prowlarr.eyaml b/hieradata/roles/apps/media/prowlarr.eyaml
index 05b8389..2b908f1 100644
--- a/hieradata/roles/apps/media/prowlarr.eyaml
+++ b/hieradata/roles/apps/media/prowlarr.eyaml
@@ -1,2 +1,3 @@
 ---
 prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
diff --git a/hieradata/roles/apps/media/prowlarr.yaml b/hieradata/roles/apps/media/prowlarr.yaml
index 8279455..b4a2fc8 100644
--- a/hieradata/roles/apps/media/prowlarr.yaml
+++ b/hieradata/roles/apps/media/prowlarr.yaml
@@ -1,7 +1,7 @@
 ---
 hiera_include:
   - prowlarr
-  - profiles::nginx::simpleproxy
+  - profiles::nginx::ldapauth
 
 # manage prowlarr
 prowlarr::params::user: prowlarr
@@ -27,9 +27,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
+nginx::client_max_body_size: 20M
+
+ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+ldap_template: '(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
 
 # configure consul service
-nginx::client_max_body_size: 10M
 consul::services:
   prowlarr:
     service_name: 'prowlarr'
@@ -41,7 +45,7 @@ consul::services:
     checks:
       - id: 'prowlarr_http_check'
         name: 'Prowlarr HTTP Check'
-        http: "https://%{facts.networking.fqdn}:443"
+        http: "https://%{facts.networking.fqdn}:443/consul/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'
diff --git a/hieradata/roles/apps/media/radarr.eyaml b/hieradata/roles/apps/media/radarr.eyaml
index 15e57af..07fe5ac 100644
--- a/hieradata/roles/apps/media/radarr.eyaml
+++ b/hieradata/roles/apps/media/radarr.eyaml
@@ -1,2 +1,3 @@
 ---
 radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
diff --git a/hieradata/roles/apps/media/radarr.yaml b/hieradata/roles/apps/media/radarr.yaml
index bdb949d..1c18b4e 100644
--- a/hieradata/roles/apps/media/radarr.yaml
+++ b/hieradata/roles/apps/media/radarr.yaml
@@ -1,7 +1,7 @@
 ---
 hiera_include:
   - radarr
-  - profiles::nginx::simpleproxy
+  - profiles::nginx::ldapauth
 
 # manage radarr
 radarr::params::user: radarr
@@ -28,9 +28,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
+nginx::client_max_body_size: 20M
+
+ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+ldap_template: '(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
 
 # configure consul service
-nginx::client_max_body_size: 10M
 consul::services:
   radarr:
     service_name: 'radarr'
@@ -42,7 +46,7 @@ consul::services:
     checks:
       - id: 'radarr_http_check'
         name: 'radarr HTTP Check'
-        http: "https://%{facts.networking.fqdn}:443"
+        http: "https://%{facts.networking.fqdn}:443/consul/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'
diff --git a/hieradata/roles/apps/media/readarr.eyaml b/hieradata/roles/apps/media/readarr.eyaml
index e63bd85..d0b1c68 100644
--- a/hieradata/roles/apps/media/readarr.eyaml
+++ b/hieradata/roles/apps/media/readarr.eyaml
@@ -1,2 +1,3 @@
 ---
 readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
diff --git a/hieradata/roles/apps/media/readarr.yaml b/hieradata/roles/apps/media/readarr.yaml
index d7785c8..060f509 100644
--- a/hieradata/roles/apps/media/readarr.yaml
+++ b/hieradata/roles/apps/media/readarr.yaml
@@ -1,7 +1,7 @@
 ---
 hiera_include:
   - readarr
-  - profiles::nginx::simpleproxy
+  - profiles::nginx::ldapauth
 
 # manage readarr
 readarr::params::user: readarr
@@ -27,9 +27,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
+nginx::client_max_body_size: 20M
+
+ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+ldap_template: '(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
 
 # configure consul service
-nginx::client_max_body_size: 10M
 consul::services:
   readarr:
     service_name: 'readarr'
@@ -41,7 +45,7 @@ consul::services:
     checks:
       - id: 'readarr_http_check'
         name: 'Readarr HTTP Check'
-        http: "https://%{facts.networking.fqdn}:443"
+        http: "https://%{facts.networking.fqdn}:443/consul/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'
diff --git a/hieradata/roles/apps/media/sonarr.yaml b/hieradata/roles/apps/media/sonarr.yaml
index 3bca555..9724726 100644
--- a/hieradata/roles/apps/media/sonarr.yaml
+++ b/hieradata/roles/apps/media/sonarr.yaml
@@ -1,7 +1,6 @@
 ---
 hiera_include:
   - sonarr
-  - profiles::nginx::simpleproxy
   - profiles::nginx::ldapauth
 
 # manage sonarr
@@ -31,84 +30,9 @@ profiles::nginx::simpleproxy::proxy_path: '/'
 profiles::nginx::simpleproxy::use_default_location: false
 nginx::client_max_body_size: 20M
 
-ldap_host: 'ldap.service.consul'
-ldap_basedn: 'dc=main,dc=unkin,dc=net'
 ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
 ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
 
-profiles::nginx::simpleproxy::locations:
-  # authentication proxy
-  authproxy:
-    ensure: 'present'
-    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
-    ssl_only: true
-    internal: true
-    location: '= /auth-proxy'
-    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
-    proxy_set_header:
-      - 'Content-Length ""'
-      - "X-Ldap-URL ldap://%{lookup('ldap_host')}"
-      - 'X-Ldap-Starttls "false"'
-      - "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
-      - "X-Ldap-BindDN %{lookup('ldap_binddn')}"
-      - "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
-      - 'X-CookieName "nginxauth"'
-      - 'Cookie nginxauth=$cookie_nginxauth'
-      - "X-Ldap-Template %{lookup('ldap_template')}"
-      - 'X-Ldap-Realm "Restricted"'
-    proxy_cache: 'cache'
-    proxy_cache_valid: '200 10m'
-    proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
-    location_cfg_append:
-      proxy_pass_request_body: 'off'
-  # sonarr health checks by consul
-  sonarr_web_consul:
-    ensure: 'present'
-    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
-    ssl_only: true
-    location: '/consul/health'
-    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
-    proxy_set_header:
-      - 'Host $host'
-      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
-      - 'X-Forwarded-Host $host'
-      - 'X-Forwarded-Proto $scheme'
-      - 'Upgrade $http_upgrade'
-      - 'Connection $http_connection'
-    proxy_redirect: 'off'
-    proxy_http_version: '1.1'
-    location_allow:
-      - 127.0.0.1
-      - "%{facts.networking.ip}"
-    location_deny:
-      - all
-  # authorised sonarr access from external
-  sonarr_web_external:
-    ensure: 'present'
-    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
-    ssl_only: true
-    location: '/'
-    auth_request: '/auth-proxy'
-    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
-    proxy_set_header:
-      - 'Host $host'
-      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
-      - 'X-Forwarded-Host $host'
-      - 'X-Forwarded-Proto $scheme'
-      - 'Upgrade $http_upgrade'
-      - 'Connection $http_connection'
-    proxy_redirect: 'off'
-    proxy_http_version: '1.1'
-  # location for sonarr api, which should be accessible without authentication
-  sonarr_api:
-    ensure: 'present'
-    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
-    ssl_only: true
-    location: '~ /api'
-    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
-    location_cfg_append:
-      client_max_body_size: '10m'
-
 # configure consul service
 consul::services:
   sonarr: