diff --git a/services/navidrome.nix b/services/navidrome.nix
index 9db322a..f71f0ce 100644
--- a/services/navidrome.nix
+++ b/services/navidrome.nix
@@ -46,11 +46,6 @@ in {
     source_directories = map (d: "${stateDirectory}/${d}") [ "data" ];
   };
 
-  # Modified from
-  # - <https://www.navidrome.org/docs/getting-started/extauth-quickstart/#example-caddy-with-authentik>
-  # - <https://www.navidrome.org/docs/usage/integration/authentication/#caddy-with-forward_auth>
-  # Modifications are exclusively changes from Docker hostnames to 127.0.0.1 and
-  # port numbers
   services.caddy.virtualHosts."music.millironx.com".extraConfig = ''
     # Authentik output endpoint
     reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort}
@@ -62,31 +57,8 @@ in {
        copy_headers X-Authentik-Username>Remote-User
     }
 
-    # Authentik uses the Authorization header if present, so should be able to
-    # authenticate subsonic clients that support BasicAuth. Requests from the
-    # Navidrome Web App will be authenticated via the existing session cookie.
-    # If you want to have Navidrome authenticate subsonic requests, remove this
-    # forward_auth block.
-    @subsonic path /rest/*
-    forward_auth @subsonic http://127.0.0.1:${authentikPort} {
-      uri /outpost.goauthentik.io/auth/caddy
-      copy_headers X-Authentik-Username>Remote-User
-
-      # Some clients that claim to support basicauth still expect a subsonic
-      # response in case of authentication failure instead of a proper basicauth
-      # response.
-      @error status 1xx 3xx 4xx 5xx
-      handle_response @error {
-        respond <<SUBSONICERR
-          <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
-            <error code="40" message="Invalid credentials or unsupported client"></error>
-          </subsonic-response>
-          SUBSONICERR 200
-      }
-    }
-
     # Forward everything to Navidrome
-    reverse_proxy http://127.0.0.1:${port}
+    reverse_proxy 127.0.0.1:${port}
   '';
 
   users.users."${user}" = {
@@ -112,13 +84,12 @@ in {
           image = "docker.io/deluan/navidrome:latest";
           environments = {
             ND_BASEURL = "https://music.millironx.com";
-            # pasta appears to use the static host IP so trust that
-            ND_EXTAUTH_TRUSTEDSOURCES = "23.239.13.247/24";
+            ND_EXTAUTH_TRUSTEDSOURCES = "10.0.0.0/8";
           };
           secrets =
             map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ];
           volumes = [
-            "${s3MountDirectory}:/music:ro"
+            "${s3MountDirectory}:/music:Uro"
             "${stateDirectory}/data:/data:U"
           ];
           publishPorts = [ "127.0.0.1:${port}:${port}" ];