nixos/navidrome: configure secrets before running navidrome

This commit is contained in:
Aly Raffauf 2024-07-05 13:01:09 -04:00
parent db40755c05
commit 4e150dd5c2

View file

@ -5,12 +5,33 @@
... ...
}: { }: {
config = lib.mkIf config.ar.services.navidrome.enable { config = lib.mkIf config.ar.services.navidrome.enable {
age.secrets.lastFMApiKey.file = ../../../secrets/lastFM/apiKey.age; age.secrets = let
age.secrets.lastFMSecret.file = ../../../secrets/lastFM/secret.age; owner = "navidrome";
age.secrets.spotifyClientId.file = ../../../secrets/spotify/clientId.age; in {
age.secrets.spotifyClientSecret.file = ../../../secrets/spotify/clientSecret.age; lastFMApiKey = {
inherit owner;
file = ../../../secrets/lastFM/apiKey.age;
};
system.activationScripts."navidrome-secrets" = let lastFMSecret = {
inherit owner;
file = ../../../secrets/lastFM/secret.age;
};
spotifyClientId = {
inherit owner;
file = ../../../secrets/spotify/clientId.age;
};
spotifyClientSecret = {
inherit owner;
file = ../../../secrets/spotify/clientSecret.age;
};
};
services.navidrome.enable = true;
systemd.services.navidrome.serviceConfig = let
navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} { navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} {
Address = "0.0.0.0"; Address = "0.0.0.0";
DefaultTheme = "Auto"; DefaultTheme = "Auto";
@ -25,7 +46,8 @@
"LastFM.Secret" = "@lastFMSecret@"; "LastFM.Secret" = "@lastFMSecret@";
"LastFM.Language" = "en"; "LastFM.Language" = "en";
}); });
in ''
navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" ''
lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}") lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}")
lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}") lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}")
spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}") spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}")
@ -34,17 +56,20 @@
-e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
${navidromeConfig} > /var/lib/navidrome/navidrome.json ${navidromeConfig} > /var/lib/navidrome/navidrome.json
''; '';
in {
BindReadOnlyPaths = [
config.age.secrets.lastFMApiKey.path
config.age.secrets.lastFMSecret.path
config.age.secrets.spotifyClientId.path
config.age.secrets.spotifyClientSecret.path
config.ar.services.navidrome.musicDirectory
];
systemd.services.navidrome.serviceConfig = { ExecStartPre = navidrome-secrets;
BindReadOnlyPaths = "${config.ar.services.navidrome.musicDirectory}";
ExecStart = lib.mkForce '' ExecStart = lib.mkForce ''
${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \
--datafolder /var/lib/navidrome/ --datafolder /var/lib/navidrome/
''; '';
}; };
services.navidrome = {
enable = true;
};
}; };
} }