nixos-configuration/hosts/iron/services/navidrome.nix

args@{ config, lib, pkgs, utils, custom-utils, ... }:

let
  ports = import ../ports.nix args;
  settings = {
    # https://www.navidrome.org/docs/usage/configuration-options/#available-options
    Address = "127.0.0.1";
    Port = ports.navidrome.tcp;
    DevActivityPanel = false;
  };
  passwordEncryptionKeyFile = config.sops.secrets.navidrome-password-encryption-key.path;
  configFile = (pkgs.formats.json { }).generate "navidrome.json" settings;
  script = ''
    credentials_dir="''$1"
    shift
    password_encryption_key_file="''$credentials_dir/PasswordEncryptionKey"
    if [ -e "''$password_encryption_key_file" ]; then
      export ND_PASSWORDENCRYPTIONKEY="$(cat "''$password_encryption_key_file")"
    fi
    exec ${pkgs.navidrome}/bin/navidrome --configfile ${configFile}
  '';
in
{
  services.navidrome.enable = true;
  systemd.services.navidrome = {
    serviceConfig = {
      ExecStart = lib.mkForce "${utils.systemdUtils.lib.makeJobScript "navidrome-start" script} %d";
    } // lib.attrsets.optionalAttrs (passwordEncryptionKeyFile != null) {
      LoadCredential = "PasswordEncryptionKey:${passwordEncryptionKeyFile}";
    };
  };
  sops.secrets.navidrome-password-encryption-key = {
    sopsFile = ../secrets.yaml;
  };
  services.nginx.virtualHosts."navidrome.jalr.de" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      location / {
        proxy_pass http://127.0.0.1:${toString ports.navidrome.tcp};
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_buffering off;
      }
    '';
  };
}