diff --git a/services/navidrome.nix b/services/navidrome.nix
index f71f0ce..9db322a 100644
--- a/services/navidrome.nix
+++ b/services/navidrome.nix
@@ -46,6 +46,11 @@ in {
     source_directories = map (d: "${stateDirectory}/${d}") [ "data" ];
   };
 
+  # Modified from
+  # - <https://www.navidrome.org/docs/getting-started/extauth-quickstart/#example-caddy-with-authentik>
+  # - <https://www.navidrome.org/docs/usage/integration/authentication/#caddy-with-forward_auth>
+  # Modifications are exclusively changes from Docker hostnames to 127.0.0.1 and
+  # port numbers
   services.caddy.virtualHosts."music.millironx.com".extraConfig = ''
     # Authentik output endpoint
     reverse_proxy /outpost.goauthentik.io/* http://127.0.0.1:${authentikPort}
@@ -57,8 +62,31 @@ in {
        copy_headers X-Authentik-Username>Remote-User
     }
 
+    # Authentik uses the Authorization header if present, so should be able to
+    # authenticate subsonic clients that support BasicAuth. Requests from the
+    # Navidrome Web App will be authenticated via the existing session cookie.
+    # If you want to have Navidrome authenticate subsonic requests, remove this
+    # forward_auth block.
+    @subsonic path /rest/*
+    forward_auth @subsonic http://127.0.0.1:${authentikPort} {
+      uri /outpost.goauthentik.io/auth/caddy
+      copy_headers X-Authentik-Username>Remote-User
+
+      # Some clients that claim to support basicauth still expect a subsonic
+      # response in case of authentication failure instead of a proper basicauth
+      # response.
+      @error status 1xx 3xx 4xx 5xx
+      handle_response @error {
+        respond <<SUBSONICERR
+          <subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
+            <error code="40" message="Invalid credentials or unsupported client"></error>
+          </subsonic-response>
+          SUBSONICERR 200
+      }
+    }
+
     # Forward everything to Navidrome
-    reverse_proxy 127.0.0.1:${port}
+    reverse_proxy http://127.0.0.1:${port}
   '';
 
   users.users."${user}" = {
@@ -84,12 +112,13 @@ in {
           image = "docker.io/deluan/navidrome:latest";
           environments = {
             ND_BASEURL = "https://music.millironx.com";
-            ND_EXTAUTH_TRUSTEDSOURCES = "10.0.0.0/8";
+            # pasta appears to use the static host IP so trust that
+            ND_EXTAUTH_TRUSTEDSOURCES = "23.239.13.247/24";
           };
           secrets =
             map (s: "${s},type=env") [ "ND_LASTFM_APIKEY" "ND_LASTFM_SECRET" ];
           volumes = [
-            "${s3MountDirectory}:/music:Uro"
+            "${s3MountDirectory}:/music:ro"
             "${stateDirectory}/data:/data:U"
           ];
           publishPorts = [ "127.0.0.1:${port}:${port}" ];