diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 9994da4..c19e2dc 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -60,5 +60,37 @@ in
     '';
 
     virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
+
+        virtualHosts."music.oxapentane.com".extraConfig = ''
+      route {
+          reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
+
+          @protected not path /share/* /rest/*
+          forward_auth @protected 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+
+
+          @subsonic path /rest/*
+          forward_auth @subsonic 10.89.88.11:9000 {
+              uri /outpost.goauthentik.io/auth/caddy
+              copy_headers X-Authentik-Username>Remote-User
+              @error status 1xx 3xx 4xx 5xx
+              handle_response @error {
+                  respond <<SUBSONICERR
+                  <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+                    <error code="40" message="Invalid credentials or unsupported client"></error>
+                  </subsonic-response>
+                  SUBSONICERR 200
+              }
+              trusted_proxies 10.89.88.11 fd31:185d:722f::11
+          }
+      }
+      reverse_proxy 10.89.88.17:4533 [fd31:185d:722f::17]:3533
+
+    '';
+
   };
 }