diff --git a/nixosModules/containers/nixos/navidrome/default.nix b/nixosModules/containers/nixos/navidrome/default.nix index 2a9487f0..cadcaa59 100644 --- a/nixosModules/containers/nixos/navidrome/default.nix +++ b/nixosModules/containers/nixos/navidrome/default.nix @@ -24,14 +24,43 @@ config = lib.mkIf config.alyraffauf.containers.nixos.navidrome.enable { # Spotify secrets aren't exactly safe, because they are world-readable in the nix store. # But they're reasonably disposable and hidden from the public git repo. + age.secrets.lastFMApiKey.file = ../../../../secrets/lastFM/apiKey.age; + age.secrets.lastFMSecret.file = ../../../../secrets/lastFM/secret.age; age.secrets.spotifyClientId.file = ../../../../secrets/spotify/clientId.age; age.secrets.spotifyClientSecret.file = ../../../../secrets/spotify/clientSecret.age; - containers.navidrome = { + containers.navidrome = let + navidromeConfig = builtins.toFile "navidrome.json" '' + { + "Address": "0.0.0.0", + "DefaultTheme": "Auto", + "MusicFolder": "/Music", + "Port": ${toString config.alyraffauf.containers.nixos.navidrome.port}, + "SubsonicArtistParticipations": true, + "UIWelcomeMessage": "Welcome to Navidrome! Registrations are closed.", + "Spotify.ID": "@spotifyClientId@", + "Spotify.Secret": "@spotifyClientSecret@", + "LastFM.Enabled": true, + "LastFM.ApiKey": "@lastFMApiKey@", + "LastFM.Secret": "@lastFMSecret@", + "LastFM.Language": "en" + } + ''; + in { autoStart = true; - bindMounts."/Music".hostPath = config.alyraffauf.containers.nixos.navidrome.musicDirectory; + bindMounts = { + "/Music".hostPath = config.alyraffauf.containers.nixos.navidrome.musicDirectory; + "/var/lib/navidrome/rawNavidrome.json".hostPath = navidromeConfig; + "${config.age.secrets.lastFMApiKey.path}".isReadOnly = true; + "${config.age.secrets.lastFMSecret.path}".isReadOnly = true; + "${config.age.secrets.spotifyClientId.path}".isReadOnly = true; + "${config.age.secrets.spotifyClientSecret.path}".isReadOnly = true; + }; config = let - port = config.alyraffauf.containers.nixos.navidrome.port; + lastFMApiKey = config.age.secrets.lastFMApiKey.path; + lastFMSecret = config.age.secrets.lastFMSecret.path; + spotifyClientId = config.age.secrets.spotifyClientId.path; + spotifyClientSecret = config.age.secrets.spotifyClientSecret.path; in { config, @@ -40,17 +69,26 @@ ... }: { system.stateVersion = "24.05"; + system.activationScripts."navidrome-secrets" = '' + lastFMApiKey=$(cat "${lastFMApiKey}") + lastFMSecret=$(cat "${lastFMSecret}") + spotifyClientId=$(cat "${spotifyClientId}") + spotifyClientSecret=$(cat "${spotifyClientSecret}") + ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \ + -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ + /var/lib/navidrome/rawNavidrome.json > /var/lib/navidrome/navidrome.json + ''; + + systemd.services.navidrome.serviceConfig = { + ExecStart = lib.mkForce '' + ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ + --datafolder /var/lib/navidrome/ + ''; + BindReadOnlyPaths = "/Music"; + }; services.navidrome = { enable = true; openFirewall = true; - settings = { - Address = "0.0.0.0"; - DefaultTheme = "Auto"; - MusicFolder = "/Music"; - Port = port; - SubsonicArtistParticipations = true; - UIWelcomeMessage = "Welcome to Navidrome! Registrations are closed."; - }; }; }; }; diff --git a/secrets/lastFM/apiKey.age b/secrets/lastFM/apiKey.age new file mode 100644 index 00000000..5a624cf5 Binary files /dev/null and b/secrets/lastFM/apiKey.age differ diff --git a/secrets/lastFM/secret.age b/secrets/lastFM/secret.age new file mode 100644 index 00000000..176e23a4 --- /dev/null +++ b/secrets/lastFM/secret.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 c7E/gQ 8NGq05DvAkx/REYRnrHFwyBlviyJrdScI85xQ3qaWFA +nceRgKIZ9+JP1w7sriFudW2adJDCqk4Dmj3pvLNvgCE +-> ssh-ed25519 d4UErQ vH47+GmgCWWckZfjIbzfbkpKMmCplGIOyun8D8oIF28 +A+XmBXDe9+9ibrDOuBT/MO+/E2vmvECLqTDzRvMH+5A +-> ssh-ed25519 1mX44w ANkgb0X0YvDk6ikbQwZHefeGUH2ZjHCiPgcGMmNWDSU +58OwddbNLtALKAQEzgvibroZXR7Dyu3UB30g+lCZm0o +-> ssh-ed25519 nrny8w ltF+TS1bsUBzaX6UypyX3bnqkHp7G9a2U5mMjgKAG3k +9hGvMrpaX5L/zqqE91+N+U7DQYv0TfSOef7tpzClUOQ +-> ssh-ed25519 W5caqg TTY8YX3rzMmzGFrVk7lBWeGmop4PWz9lqSkgVBEVkEg +H/0/fXNEYPFLfBIp5eo4fEln58HYcdi6GpuY7trD6Hc +-> ssh-ed25519 xIeYNQ RAzvu54SuABfIrqzhzvI+Uf6dNyQfVfW+znzXUwsiCk +/wPqVRNBh492rw8BMl/Sr3HIcHKSx3cRGtGzsE7Wy7E +-> ssh-ed25519 g+apXg LS280whEsL2630qxpiUOGOGIW6M4che/bEzRS7/YMUc +PWkBHsJ8SlmLxthcY6LovIAz35IyLgyIMnpw76MRd4g +-> ssh-ed25519 osHDzw bzrBaq5lbfgjpQ69Uv65XXwDOYdltoDdKzr6fusu+Rs +ZnXhrj1JEicA5XP3XWMXaz7KnV00oFGLzQM18e04Pd0 +-> ssh-ed25519 GrlIbA bN8aFEAy9asUxTtVkjQUhghfK+RqNOpwaZ71kx5fYTg +Pmj5d91rQ4XDUN+IC7Bm3PW//7aJUu0dfoWWe5+dYt4 +-> ssh-ed25519 N/8bSg EDMQEcuGAxJLbDFeFRuwpC2j/ot5bchOCTpD8XrzAFc +Gzihvp6FgAruy1w9WtlXpgUyWmGSx1wALKSxO+8Uh5s +--- S7bluPkKaT1A3gRrEnvPeuVkf/N8SNzTEpk3CF/ihqU +6"u$Flfho~U~f 9ZSrۣ4Jr \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 508151e0..d8f2cab8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -33,6 +33,8 @@ in { "hosts/rustboro/syncthing/key.age".publicKeys = users ++ systems; "spotify/clientId.age".publicKeys = users ++ systems; "spotify/clientSecret.age".publicKeys = users ++ systems; + "lastFM/apiKey.age".publicKeys = users ++ systems; + "lastFM/secret.age".publicKeys = users ++ systems; "tailscale/authKeyFile.age".publicKeys = users ++ systems; "wifi.age".publicKeys = users ++ systems; }