jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/hosts/iron/services/navidrome.nix
Jakob Lechner 8cec9745da Add sops defaults
2025-09-01 16:06:04 +02:00

51 lines
1.8 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
inherit (config.networking) ports;
settings = {
# https://www.navidrome.org/docs/usage/configuration-options/#available-options
Address = "127.0.0.1";
Port = ports.navidrome.tcp;
DevActivityPanel = false;
MusicFolder = "/var/lib/navidrome/music";
};
passwordEncryptionKeyFile = config.sops.secrets.navidrome-password-encryption-key.path;
configFile = (pkgs.formats.json { }).generate "navidrome.json" settings;
script = ''
credentials_dir="''$1"
shift
password_encryption_key_file="''$credentials_dir/PasswordEncryptionKey"
if [ -e "''$password_encryption_key_file" ]; then
export ND_PASSWORDENCRYPTIONKEY="$(cat "''$password_encryption_key_file")"
fi
exec ${config.services.navidrome.package}/bin/navidrome --configfile ${configFile}
'';
in
{
services.navidrome.enable = true;
systemd.services.navidrome = {
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.writeShellScript "navidrome-start" script} %d";
} // lib.attrsets.optionalAttrs (passwordEncryptionKeyFile != null) {
LoadCredential = "PasswordEncryptionKey:${passwordEncryptionKeyFile}";
};
};
services.nginx.virtualHosts."navidrome.jalr.de" = {
enableACME = true;
forceSSL = true;
kTLS = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
proxy_pass http://127.0.0.1:${toString ports.navidrome.tcp};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
'';
};
}
Reference in a new issue View git blame Copy permalink