nixos/navidrome: configure secrets before running navidrome

2024-11-22 07:53:55 -05:00 · 2024-07-05 13:01:09 -04:00 · 2024-07-05 13:01:09 -04:00 · 4e150dd5c2
parent db40755c05
commit 4e150dd5c2
1 changed files with 45 additions and 20 deletions
--- a/nixosModules/services/navidrome/default.nix
+++ b/nixosModules/services/navidrome/default.nix
@ -5,12 +5,33 @@
  ...
 }: {
  config = lib.mkIf config.ar.services.navidrome.enable {
-    age.secrets.lastFMApiKey.file = ../../../secrets/lastFM/apiKey.age;
-    age.secrets.lastFMSecret.file = ../../../secrets/lastFM/secret.age;
-    age.secrets.spotifyClientId.file = ../../../secrets/spotify/clientId.age;
-    age.secrets.spotifyClientSecret.file = ../../../secrets/spotify/clientSecret.age;
+    age.secrets = let
+      owner = "navidrome";
+    in {
+      lastFMApiKey = {
+        inherit owner;
+        file = ../../../secrets/lastFM/apiKey.age;
+      };

-    system.activationScripts."navidrome-secrets" = let
+      lastFMSecret = {
+        inherit owner;
+        file = ../../../secrets/lastFM/secret.age;
+      };
+
+      spotifyClientId = {
+        inherit owner;
+        file = ../../../secrets/spotify/clientId.age;
+      };
+
+      spotifyClientSecret = {
+        inherit owner;
+        file = ../../../secrets/spotify/clientSecret.age;
+      };
+    };
+
+    services.navidrome.enable = true;
+
+    systemd.services.navidrome.serviceConfig = let
      navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} {
        Address = "0.0.0.0";
        DefaultTheme = "Auto";
@ -25,26 +46,30 @@
        "LastFM.Secret" = "@lastFMSecret@";
        "LastFM.Language" = "en";
      });
-    in ''
-      lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}")
-      lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}")
-      spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}")
-      spotifyClientSecret=$(cat "${config.age.secrets.spotifyClientSecret.path}")
-      ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
-        -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
-        ${navidromeConfig} > /var/lib/navidrome/navidrome.json
-    '';

-    systemd.services.navidrome.serviceConfig = {
-      BindReadOnlyPaths = "${config.ar.services.navidrome.musicDirectory}";
+      navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" ''
+        lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}")
+        lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}")
+        spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}")
+        spotifyClientSecret=$(cat "${config.age.secrets.spotifyClientSecret.path}")
+        ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
+          -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
+          ${navidromeConfig} > /var/lib/navidrome/navidrome.json
+      '';
+    in {
+      BindReadOnlyPaths = [
+        config.age.secrets.lastFMApiKey.path
+        config.age.secrets.lastFMSecret.path
+        config.age.secrets.spotifyClientId.path
+        config.age.secrets.spotifyClientSecret.path
+        config.ar.services.navidrome.musicDirectory
+      ];
+
+      ExecStartPre = navidrome-secrets;
      ExecStart = lib.mkForce ''
        ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \
          --datafolder /var/lib/navidrome/
      '';
    };
-
-    services.navidrome = {
-      enable = true;
-    };
  };
 }