From 58039a656387f868f29b6baae06e82d42bb18160 Mon Sep 17 00:00:00 2001 From: Aly Raffauf Date: Fri, 5 Jul 2024 20:58:05 -0400 Subject: [PATCH] move raffauflabsModules to separate git repo (#12) * remove from flake + delete files * README: add raffauflabs modules link --- README.md | 2 +- flake.lock | 23 +- flake.nix | 8 + hosts/mauville/default.nix | 288 ++++-------------- nixosModules/containers/default.nix | 8 - .../containers/oci/audiobookshelf/default.nix | 17 -- nixosModules/containers/oci/default.nix | 14 - .../containers/oci/freshRSS/default.nix | 23 -- .../containers/oci/jellyfin/default.nix | 22 -- .../oci/plexMediaServer/default.nix | 22 -- .../containers/oci/transmission/default.nix | 25 -- nixosModules/default.nix | 1 - nixosModules/options.nix | 120 -------- nixosModules/services/default.nix | 1 - nixosModules/services/navidrome/default.nix | 75 ----- 15 files changed, 92 insertions(+), 557 deletions(-) delete mode 100644 nixosModules/containers/default.nix delete mode 100644 nixosModules/containers/oci/audiobookshelf/default.nix delete mode 100644 nixosModules/containers/oci/default.nix delete mode 100644 nixosModules/containers/oci/freshRSS/default.nix delete mode 100644 nixosModules/containers/oci/jellyfin/default.nix delete mode 100644 nixosModules/containers/oci/plexMediaServer/default.nix delete mode 100644 nixosModules/containers/oci/transmission/default.nix delete mode 100644 nixosModules/services/navidrome/default.nix diff --git a/README.md b/README.md index 5e15b95d..19d4a8f5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # nixcfg -NixOS flake for all mine + my husband's hosts, including modules for Hyprland, Sway, GNOME, and a variety of Home lab services running on a mix of nix-native and OCI containers. Built with [agenix](https://github.com/ryantm/agenix) for managing secrets, [disko](https://github.com/nix-community/disko) for automatically partioning drives, and [home-manager](https://github.com/nix-community/home-manager) for managing dotfiles and home configuration. +NixOS flake for all mine + my husband's hosts, including modules for Hyprland, Sway, GNOME, and a variety of [home lab](https://github.com/alyraffauf/raffauflabs) services running on a mix of nix-native and OCI containers. Built with [agenix](https://github.com/ryantm/agenix) for managing secrets, [disko](https://github.com/nix-community/disko) for automatically partioning drives, and [home-manager](https://github.com/nix-community/home-manager) for managing dotfiles and home configuration. ## Rice ![](./_img/hyprland.png) diff --git a/flake.lock b/flake.lock index 61133701..933c93cd 100644 --- a/flake.lock +++ b/flake.lock @@ -563,6 +563,26 @@ "type": "github" } }, + "raffauflabs": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720224769, + "narHash": "sha256-n2wxe8CDZCMRmA7PXN/+OAoqvoDu+hbqmVNKNMyDX8Q=", + "owner": "alyraffauf", + "repo": "raffauflabs", + "rev": "912f73b0d0891ac272721c60ae2da43dbf06778b", + "type": "github" + }, + "original": { + "owner": "alyraffauf", + "repo": "raffauflabs", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -573,7 +593,8 @@ "nixpkgs": "nixpkgs_2", "nixpkgsUnstable": "nixpkgsUnstable", "nixvim": "nixvim", - "nur": "nur" + "nur": "nur", + "raffauflabs": "raffauflabs" } }, "systems": { diff --git a/flake.nix b/flake.nix index adaf2606..f514a278 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Automated disk partitioning. + raffauflabs = { + url = "github:alyraffauf/raffauflabs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ## Motion sensor and auto-rotate for Hyprland. iio-hyprland = { url = "github:JeanSchoeller/iio-hyprland"; @@ -114,8 +120,10 @@ inputs.hyprland.nixosModules.default inputs.nixvim.nixosModules.nixvim inputs.nur.nixosModules.nur + inputs.raffauflabs.nixosModules.raffauflabs self.nixosModules.hardware self.nixosModules.nixos + { home-manager = { backupFileExtension = "backup"; diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix index 64c7c540..f6dd9136 100644 --- a/hosts/mauville/default.nix +++ b/hosts/mauville/default.nix @@ -1,17 +1,13 @@ # Custom desktop with AMD Ryzen 5 2600, 16GB RAM, AMD Rx 6700, and 1TB SSD + 2TB HDD. { config, - input, lib, pkgs, - self, ... }: let - acmeEmail = "alyraffauf@gmail.com"; - hostName = "mauville"; + archiveDirectory = "/mnt/Archive"; domain = "raffauflabs.com"; mediaDirectory = "/mnt/Media"; - archiveDirectory = "/mnt/Archive"; in { imports = [ ./filesystems.nix @@ -21,7 +17,26 @@ in { age.secrets = { cloudflare.file = ../../secrets/cloudflare.age; - nixCache.file = ../../secrets/nixCache/privKey.age; + + lastfmId = { + owner = "navidrome"; + file = ../../secrets/lastFM/apiKey.age; + }; + + lastfmSecret = { + owner = "navidrome"; + file = ../../secrets/lastFM/secret.age; + }; + + spotifyId = { + owner = "navidrome"; + file = ../../secrets/spotify/clientId.age; + }; + + spotifySecret = { + owner = "navidrome"; + file = ../../secrets/spotify/clientSecret.age; + }; }; boot.loader = { @@ -29,217 +44,9 @@ in { systemd-boot.enable = true; }; - system.stateVersion = "23.11"; - - networking = { - firewall = { - allowedTCPPorts = [ - 80 - 443 - config.ar.containers.oci.transmission.port - config.ar.containers.oci.transmission.bitTorrentPort - ]; - - allowedUDPPorts = [config.ar.containers.oci.transmission.bitTorrentPort]; - }; - - # My router doesn't expose settings for NAT loopback - # So we have to use this workaround. - extraHosts = '' - 127.0.0.1 git.${domain} - 127.0.0.1 music.${domain} - 127.0.0.1 news.${domain} - 127.0.0.1 nixcache.${domain} - 127.0.0.1 plex.${domain} - 127.0.0.1 podcasts.${domain} - ''; - - hostName = hostName; - }; - - security.acme = { - acceptTerms = true; - defaults.email = acmeEmail; - }; + networking.hostName = "mauville"; services = { - ddclient = { - enable = true; - domains = [ - "git.raffauflabs.com" - "music.raffauflabs.com" - "plex.raffauflabs.com" - "podcasts.raffauflabs.com" - "raffauflabs.com" - ]; - interval = "10min"; - passwordFile = config.age.secrets.cloudflare.path; - protocol = "cloudflare"; - ssl = true; - use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '"; - username = "token"; - zone = "raffauflabs.com"; - }; - - fail2ban.enable = true; - - forgejo = { - enable = true; - lfs.enable = true; - - settings = { - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "https://github.com"; - }; - - cron = { - ENABLED = true; - RUN_AT_START = false; - }; - - DEFAULT.APP_NAME = "Git @ RaffaufLabs.com"; - - repository = { - DEFAULT_BRANCH = "master"; - ENABLE_PUSH_CREATE_ORG = true; - ENABLE_PUSH_CREATE_USER = true; - PREFERRED_LICENSES = "GPL-3.0"; - }; - - federation.ENABLED = true; - picture.ENABLE_FEDERATED_AVATAR = true; - security.PASSWORD_CHECK_PWN = true; - - server = { - LANDING_PAGE = "explore"; - ROOT_URL = "https://git.${domain}/"; - }; - - service = { - ALLOW_ONLY_INTERNAL_REGISTRATION = true; - DISABLE_REGISTRATION = false; - ENABLE_NOTIFY_MAIL = true; - }; - - session.COOKIE_SECURE = true; - - ui.DEFAULT_THEME = "forgejo-auto"; - "ui.meta" = { - AUTHOR = "Git @ RaffaufLabs.com"; - DESCRIPTION = "Self-hosted git projects + toys."; - KEYWORDS = "git,forge,forgejo,aly raffauf"; - }; - }; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts = { - "git.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${toString config.services.forgejo.settings.server.HTTP_PORT}"; - - extraConfig = '' - client_max_body_size 512M; - ''; - }; - }; - - "music.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.ar.services.navidrome.port}"; - proxyWebsockets = true; - - extraConfig = '' - proxy_buffering off; - ''; - }; - }; - - "news.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.freshRSS.port}"; - proxyWebsockets = true; # needed if you need to use WebSocket - - extraConfig = '' - proxy_buffering off; - proxy_redirect off; - # Forward the Authorization header for the Google Reader API. - proxy_pass_header Authorization; - proxy_set_header Authorization $http_authorization; - ''; - }; - }; - - "nixcache.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - }; - - "plex.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.plexMediaServer.port}"; - proxyWebsockets = true; - - extraConfig = '' - proxy_buffering off; - ''; - }; - }; - - "podcasts.${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.audiobookshelf.port}"; - - extraConfig = '' - client_max_body_size 500M; - proxy_buffering off; - proxy_redirect http:// https://; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection "upgrade"; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - }; - }; - - nix-serve = { - enable = true; - secretKeyFile = config.age.secrets.nixCache.path; - }; - - ollama = { - enable = true; - acceleration = "rocm"; - }; - samba = { enable = true; openFirewall = true; @@ -248,7 +55,7 @@ in { shares = { Media = { browseable = "yes"; - comment = "Media @ ${hostName}"; + comment = "Media @ ${config.networking.hostName}"; path = mediaDirectory; "read only" = "no"; "guest ok" = "yes"; @@ -258,7 +65,7 @@ in { Archive = { browseable = "yes"; - comment = "Archive @ ${hostName}"; + comment = "Archive @ ${config.networking.hostName}"; path = archiveDirectory; "create mask" = "0755"; "directory mask" = "0755"; @@ -274,6 +81,8 @@ in { }; }; + system.stateVersion = "23.11"; + ar = { apps = { firefox.enable = true; @@ -288,15 +97,6 @@ in { zramSwap.size = 100; }; - containers = { - oci = { - audiobookshelf.enable = true; - freshRSS.enable = true; - plexMediaServer.enable = true; - transmission.enable = true; - }; - }; - desktop = { greetd = { enable = true; @@ -330,8 +130,42 @@ in { musicPath = "${mediaDirectory}/Music"; }; - navidrome.enable = true; tailscale.enable = true; }; }; + + raffauflabs = { + inherit domain; + enable = true; + + containers = { + oci = { + audiobookshelf.enable = true; + freshRSS.enable = true; + plexMediaServer.enable = true; + transmission.enable = true; + }; + }; + + services = { + ddclient = { + enable = true; + passwordFile = config.age.secrets.cloudflare.path; + protocol = "cloudflare"; + }; + + forgejo.enable = true; + navidrome = { + enable = true; + lastfm = { + idFile = config.age.secrets.lastfmId.path; + secretFile = config.age.secrets.lastfmSecret.path; + }; + spotify = { + idFile = config.age.secrets.spotifyId.path; + secretFile = config.age.secrets.spotifySecret.path; + }; + }; + }; + }; } diff --git a/nixosModules/containers/default.nix b/nixosModules/containers/default.nix deleted file mode 100644 index c1bcfae2..00000000 --- a/nixosModules/containers/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - imports = [./oci]; -} diff --git a/nixosModules/containers/oci/audiobookshelf/default.nix b/nixosModules/containers/oci/audiobookshelf/default.nix deleted file mode 100644 index b25e9d58..00000000 --- a/nixosModules/containers/oci/audiobookshelf/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - config = lib.mkIf config.ar.containers.oci.audiobookshelf.enable { - virtualisation.oci-containers.containers = { - audiobookshelf = { - ports = ["0.0.0.0:${toString config.ar.containers.oci.audiobookshelf.port}:80"]; - image = "ghcr.io/advplyr/audiobookshelf:latest"; - environment = {TZ = "America/New_York";}; - volumes = ["abs_config:/config" "abs_metadata:/metadata" "${config.ar.containers.oci.audiobookshelf.mediaDirectory}:/Media"]; - }; - }; - }; -} diff --git a/nixosModules/containers/oci/default.nix b/nixosModules/containers/oci/default.nix deleted file mode 100644 index 4a788ff4..00000000 --- a/nixosModules/containers/oci/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - imports = [ - ./audiobookshelf - ./freshRSS - ./jellyfin - ./plexMediaServer - ./transmission - ]; -} diff --git a/nixosModules/containers/oci/freshRSS/default.nix b/nixosModules/containers/oci/freshRSS/default.nix deleted file mode 100644 index 5e9173fb..00000000 --- a/nixosModules/containers/oci/freshRSS/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - config = lib.mkIf config.ar.containers.oci.freshRSS.enable { - virtualisation.oci-containers.containers = { - freshrss = { - ports = ["0.0.0.0:${toString config.ar.containers.oci.freshRSS.port}:80"]; - image = "freshrss/freshrss:latest"; - environment = { - TZ = "America/New_York"; - CRON_MIN = "1,31"; - }; - volumes = [ - "freshrss_data:/var/www/FreshRSS/data" - "freshrss_extensions:/var/www/FreshRSS/extensions" - ]; - }; - }; - }; -} diff --git a/nixosModules/containers/oci/jellyfin/default.nix b/nixosModules/containers/oci/jellyfin/default.nix deleted file mode 100644 index 539b995b..00000000 --- a/nixosModules/containers/oci/jellyfin/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - config = lib.mkIf config.ar.containers.oci.jellyfin.enable { - virtualisation.oci-containers.containers = { - jellyfin = { - ports = ["0.0.0.0:${toString config.ar.containers.oci.jellyfin.port}:8096"]; - image = "jellyfin/jellyfin"; - environment = {TZ = "America/New_York";}; - volumes = [ - "jellyfin_config:/config" - "jellyfin_cache:/cache" - "${config.ar.containers.oci.jellyfin.mediaDirectory}:/Media" - "${config.ar.containers.oci.jellyfin.archiveDirectory}:/Archive" - ]; - }; - }; - }; -} diff --git a/nixosModules/containers/oci/plexMediaServer/default.nix b/nixosModules/containers/oci/plexMediaServer/default.nix deleted file mode 100644 index ff348bed..00000000 --- a/nixosModules/containers/oci/plexMediaServer/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - config = lib.mkIf config.ar.containers.oci.plexMediaServer.enable { - virtualisation.oci-containers.containers = { - plexMediaServer = { - ports = ["0.0.0.0:${toString config.ar.containers.oci.plexMediaServer.port}:32400"]; - image = "plexinc/pms-docker:public"; - environment = {TZ = "America/New_York";}; - volumes = [ - "plex_config:/config" - "plex_transcode:/transcode" - "${config.ar.containers.oci.plexMediaServer.mediaDirectory}:/Media" - "${config.ar.containers.oci.plexMediaServer.archiveDirectory}:/Archive" - ]; - }; - }; - }; -} diff --git a/nixosModules/containers/oci/transmission/default.nix b/nixosModules/containers/oci/transmission/default.nix deleted file mode 100644 index 35d95a94..00000000 --- a/nixosModules/containers/oci/transmission/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - config = lib.mkIf config.ar.containers.oci.transmission.enable { - virtualisation.oci-containers.containers = { - transmission = { - ports = ["0.0.0.0:${toString config.ar.containers.oci.transmission.port}:9091" "0.0.0.0:${toString config.ar.containers.oci.transmission.bitTorrentPort}:51413"]; - image = "linuxserver/transmission:latest"; - environment = { - PGID = "1000"; - PUID = "1000"; - TZ = "America/New_York"; - }; - volumes = [ - "transmission_config:/config" - "${config.ar.containers.oci.transmission.mediaDirectory}:/Media" - "${config.ar.containers.oci.transmission.archiveDirectory}:/Archive" - ]; - }; - }; - }; -} diff --git a/nixosModules/default.nix b/nixosModules/default.nix index 08761b7e..c9081ed1 100644 --- a/nixosModules/default.nix +++ b/nixosModules/default.nix @@ -7,7 +7,6 @@ inputs: { imports = [ ./apps ./base - ./containers ./desktop ./options.nix ./services diff --git a/nixosModules/options.nix b/nixosModules/options.nix index fad7a3e4..02a00ce5 100644 --- a/nixosModules/options.nix +++ b/nixosModules/options.nix @@ -1,9 +1,7 @@ { config, - inputs, lib, pkgs, - self, ... }: { options.ar = { @@ -15,108 +13,6 @@ virt-manager.enable = lib.mkEnableOption "Virtual machine client."; }; - containers = { - oci = { - audiobookshelf = { - enable = lib.mkEnableOption "audiobookshelf server in OCI container."; - - mediaDirectory = lib.mkOption { - description = "Media directory for audiobookshelf."; - default = "/mnt/Media"; - type = lib.types.str; - }; - - port = lib.mkOption { - description = "Port for audiobookshelf."; - default = 13378; - type = lib.types.int; - }; - }; - - freshRSS = { - enable = lib.mkEnableOption "FreshRSS news client in OCI container."; - - port = lib.mkOption { - description = "Port for FreshRSS."; - default = 8080; - type = lib.types.int; - }; - }; - - jellyfin = { - enable = lib.mkEnableOption "Jellyfin media server in OCI container."; - - archiveDirectory = lib.mkOption { - description = "Archive directory for Jellyfin."; - default = "/mnt/Archive"; - type = lib.types.str; - }; - - mediaDirectory = lib.mkOption { - description = "Media directory for Jellyfin."; - default = "/mnt/Media"; - type = lib.types.str; - }; - - port = lib.mkOption { - description = "Port for Jellyfin."; - default = 8096; - type = lib.types.int; - }; - }; - - plexMediaServer = { - enable = lib.mkEnableOption "Plex Media Server in OCI container."; - - archiveDirectory = lib.mkOption { - description = "Archive directory for Plex Media Server."; - default = "/mnt/Archive"; - type = lib.types.str; - }; - - mediaDirectory = lib.mkOption { - description = "Media directory for Plex Media Server."; - default = "/mnt/Media"; - type = lib.types.str; - }; - - port = lib.mkOption { - description = "Port for Plex Media Server."; - default = 32400; - type = lib.types.int; - }; - }; - - transmission = { - enable = lib.mkEnableOption "Transmission client in OCI container."; - - archiveDirectory = lib.mkOption { - description = "Archive directory for Transmission."; - default = "/mnt/Archive"; - type = lib.types.str; - }; - - bitTorrentPort = lib.mkOption { - description = "Port for BitTorrent p2p services."; - default = 5143; - type = lib.types.int; - }; - - mediaDirectory = lib.mkOption { - description = "Media directory for Transmission."; - default = "/mnt/Media"; - type = lib.types.str; - }; - - port = lib.mkOption { - description = "Port for Transmission."; - default = 9091; - type = lib.types.int; - }; - }; - }; - }; - desktop = { cinnamon.enable = lib.mkEnableOption "Cinnamon desktop session."; @@ -155,22 +51,6 @@ services = { flatpak.enable = lib.mkEnableOption "Flatpak support with GUI."; - navidrome = { - enable = lib.mkEnableOption "Navidrome music server with secrets."; - - musicDirectory = lib.mkOption { - description = "Music directory for Navidrome."; - default = "/mnt/Media/Music"; - type = lib.types.str; - }; - - port = lib.mkOption { - description = "Port for Navidrome."; - default = 4533; - type = lib.types.int; - }; - }; - syncthing = { enable = lib.mkEnableOption "Syncthing sync service."; diff --git a/nixosModules/services/default.nix b/nixosModules/services/default.nix index 6ed8e895..3fb69937 100644 --- a/nixosModules/services/default.nix +++ b/nixosModules/services/default.nix @@ -6,7 +6,6 @@ }: { imports = [ ./flatpak - ./navidrome ./syncthing ./tailscale ]; diff --git a/nixosModules/services/navidrome/default.nix b/nixosModules/services/navidrome/default.nix deleted file mode 100644 index e960dcc6..00000000 --- a/nixosModules/services/navidrome/default.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - config = lib.mkIf config.ar.services.navidrome.enable { - age.secrets = let - owner = "navidrome"; - in { - lastFMApiKey = { - inherit owner; - file = ../../../secrets/lastFM/apiKey.age; - }; - - lastFMSecret = { - inherit owner; - file = ../../../secrets/lastFM/secret.age; - }; - - spotifyClientId = { - inherit owner; - file = ../../../secrets/spotify/clientId.age; - }; - - spotifyClientSecret = { - inherit owner; - file = ../../../secrets/spotify/clientSecret.age; - }; - }; - - services.navidrome.enable = true; - - systemd.services.navidrome.serviceConfig = let - navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} { - Address = "0.0.0.0"; - DefaultTheme = "Auto"; - MusicFolder = config.ar.services.navidrome.musicDirectory; - Port = config.ar.services.navidrome.port; - SubsonicArtistParticipations = true; - UIWelcomeMessage = "Welcome to Navidrome @ RaffaufLabs.com"; - "Spotify.ID" = "@spotifyClientId@"; - "Spotify.Secret" = "@spotifyClientSecret@"; - "LastFM.Enabled" = true; - "LastFM.ApiKey" = "@lastFMApiKey@"; - "LastFM.Secret" = "@lastFMSecret@"; - "LastFM.Language" = "en"; - }); - - navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" '' - lastFMApiKey=$(cat "${config.age.secrets.lastFMApiKey.path}") - lastFMSecret=$(cat "${config.age.secrets.lastFMSecret.path}") - spotifyClientId=$(cat "${config.age.secrets.spotifyClientId.path}") - spotifyClientSecret=$(cat "${config.age.secrets.spotifyClientSecret.path}") - ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \ - -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ - ${navidromeConfig} > /var/lib/navidrome/navidrome.json - ''; - in { - BindReadOnlyPaths = [ - config.age.secrets.lastFMApiKey.path - config.age.secrets.lastFMSecret.path - config.age.secrets.spotifyClientId.path - config.age.secrets.spotifyClientSecret.path - config.ar.services.navidrome.musicDirectory - ]; - - ExecStartPre = navidrome-secrets; - ExecStart = lib.mkForce '' - ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ - --datafolder /var/lib/navidrome/ - ''; - }; - }; -}